-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
REST API missing protection - security issue #2749
Comments
The endpoint is currently used by the web interface to check if a server is available. This is done before the user is logged in. We will change this to use an endpoint that does not expose that much information in Graylog 2.2 and protect the Thank you for the report! |
Thanks for picking this up and apologies for the haphazard report, I just wanted to get this out there as quickly as possible. |
I am not sure how this is happening but I wanted to quickly drop a note here, better sooner than later with these things.
The end-point
https://example.org:12900/system/cluster/node
is accessible without authorization and exposes details like node id, internal IP, internal hostname. What's going on here?The text was updated successfully, but these errors were encountered: