Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

REST API missing protection - security issue #2749

Closed
cmeury opened this issue Aug 27, 2016 · 2 comments
Closed

REST API missing protection - security issue #2749

cmeury opened this issue Aug 27, 2016 · 2 comments
Assignees
@joschi @edmundoa
Labels
bug P3 S3 security severe triaged
Milestone
2.2.0

Comments

@cmeury
Copy link

cmeury commented Aug 27, 2016

I am not sure how this is happening but I wanted to quickly drop a note here, better sooner than later with these things.
The end-point https://example.org:12900/system/cluster/node is accessible without authorization and exposes details like node id, internal IP, internal hostname. What's going on here?
@joschi joschi added this to the 2.x milestone Aug 29, 2016
@bernd bernd modified the milestones: 2.1.1, 2.x Aug 31, 2016
@bernd bernd modified the milestones: 2.2.0, 2.1.1 Sep 12, 2016
@bernd
Copy link
Member

bernd commented Sep 12, 2016

The endpoint is currently used by the web interface to check if a server is available. This is done before the user is logged in. We will change this to use an endpoint that does not expose that much information in Graylog 2.2 and protect the /cluster/node and /cluster/nodes endpoints to only be accessible to authenticated users.

Thank you for the report!

@cmeury
Copy link
Author

cmeury commented Sep 12, 2016

Thanks for picking this up and apologies for the haphazard report, I just wanted to get this out there as quickly as possible.

@bernd bernd added the severe label Dec 9, 2016
@joschi joschi assigned joschi and unassigned bernd Jan 2, 2017
joschi pushed a commit that referenced this issue Jan 2, 2017
Add missing authentication to ClusterResource and ClusterStatsResource
ba2ee80 
Fixes #2749
@joschi joschi mentioned this issue Jan 2, 2017
Merged
@ghost ghost assigned edmundoa Jan 5, 2017
@ghost ghost removed the in progress label Jan 5, 2017
edmundoa pushed a commit that referenced this issue Jan 5, 2017
@joschi @edmundoa
Add missing authentication to ClusterResource and ClusterStatsResource (
c6f25d3 
#3279)

Fixes #2749
edmundoa pushed a commit that referenced this issue Jan 25, 2017
@joschi
Add missing authentication to ClusterResource and ClusterStatsResource (
0f10e6b 
#3279)

Fixes #2749
joschi pushed a commit that referenced this issue Jan 25, 2017
@edmundoa @joschi
Add missing authentication to ClusterResource and ClusterStatsResource (
72947e7 
#3427)

Refs #3279
Fixes #2749
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@joschi joschi

@edmundoa edmundoa

Labels
bug P3 S3 security severe triaged
Projects
None yet
Milestone
2.2.0
Development

No branches or pull requests
5 participants
@bernd @joschi @kroepke @edmundoa @cmeury