user detail leak via api request #5068
Closed
Comments
This bug has been fixed in #5079 and the fix will be in the upcoming 2.5 release. |
bernd
added a commit
that referenced
this issue
Nov 23, 2018
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Expected Behavior
Only Administrative Users should be able to retreive the user Information of other users from the API.
Current Behavior
When the username is known (or guessed) every user can get details about every user.
Possible Solution
Make the user details only available for the user themself and the Admin.
Context
When running with multiple Users that are not known to each other on the same Graylog Setup, every User would be able to retreive Information about other users. Including what they can access.
This is worse from a company perspective revealing their customer details to other customers, but in addition this could be used as initial informations for further attacks against Graylog.
Your Environment
The text was updated successfully, but these errors were encountered: