New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can add custom ports without permission #443
Comments
|
Clicking + doesn't actually add the port, the network changes aren't applied until you actually hit "Save". If you fully reload the page they won't be there. It might be incorrectly showing that they're in the list (and it shouldn't be showing the option to edit ports if you don't have permission) - but I can verify that the security model is operating correctly and the changes are not being applied when the user doesn't have permission. Indeed as it says, the API call to set the network information (the ports) requires the global Reconfigure permission for ADS. So while it's a tad confusing that the user can even see that dialog when they won't be able to make any changes, the security model is operating as intended and there is no fault. |
|
Aah, there was a change at one point where the + and - didn't actually make the changes, indeed you're right and at the moment they do. Different API calls in that situation. Turns out, |
|
We are assigning a CVE for this issue. Details to follow. |
|
This issue was assigned CVE-2021-31926 - The issue was fixed as part of the 2.1.1.2 update. |





Bug Report
System Information
I confirm:
Symptoms
Editing ports of an istance without having the proper permission
That it gives me an error
The port is added without saying anything
Reproduction
On the step 5, if I do "Save changes" it will give me this error

The text was updated successfully, but these errors were encountered: