Bug 994880 - Activity Server allows to run any JPQL query statement over REST API
Activity Server allows to run any JPQL query statement over REST API
Status: CLOSED CURRENTRELEASE
Product: JBoss Fuse Service Works 6
Classification: JBoss
Component: RT Governance (Show other bugs)
6.0.0 GA
Unspecified Unspecified
unspecified Severity urgent
: ER1
: ---
Assigned To: Gary Brown
Jiri Sedlacek
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-08 03:57 EDT by Jiri Pechanec
Modified: 2015-08-02 19:44 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-02-06 10:27:05 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
JBoss Issue Tracker RTGOV-244 Major Closed Activity Server allows to run any JPQL query statement over REST API 2014-07-02 05:19:32 EDT

  None (edit)
Description Jiri Pechanec 2013-08-08 03:57:38 EDT
http://localhost:8080/overlord-rtgov/activity/query allow to execute virtually any JPQL query over Activity Server database.

This might pose a security risk in the future so I propose a review by security team
Comment 1 Gary Brown 2013-08-08 04:09:25 EDT
Given that the operation is 'query' I am happy to restrict it to SELECT statements.
Comment 3 Jiri Pechanec 2013-09-16 05:55:47 EDT
Verified in ER2
Comment 7 JBoss JIRA Server 2014-07-02 05:19:32 EDT
Gary Brown <gary@brownuk.com> updated the status of jira RTGOV-244 to Closed

Note You need to log in before you can comment on or make changes to this bug.