You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The move to FLASK as a webui backend introduced a cookie leak in the auth_token workflows of the webui. This potentially leak the contents of cookies to other sessions. Impact is that Rucio authentication tokens are leaked to other users accessing the webui within a close timeframe, thus allowing users accessing the webui with the leaked authentication token. Privileges are therefore also escalated.
Modification
The underlying issue is that one of the cooke variables is defined as global, thus leaking within the wsgi_container in sessions executed in close time. A fix is currently in preparation.
Motivation
The move to FLASK as a webui backend introduced a cookie leak in the auth_token workflows of the webui. This potentially leak the contents of cookies to other sessions. Impact is that Rucio authentication tokens are leaked to other users accessing the webui within a close timeframe, thus allowing users accessing the webui with the leaked authentication token. Privileges are therefore also escalated.
Modification
The underlying issue is that one of the cooke variables is defined as global, thus leaking within the wsgi_container in sessions executed in close time. A fix is currently in preparation.
Related issue is #4810
The text was updated successfully, but these errors were encountered: