Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
user detail leak via api request #5068
Only Administrative Users should be able to retreive the user Information of other users from the API.
When the username is known (or guessed) every user can get details about every user.
Make the user details only available for the user themself and the Admin.
When running with multiple Users that are not known to each other on the same Graylog Setup, every User would be able to retreive Information about other users. Including what they can access.
This is worse from a company perspective revealing their customer details to other customers, but in addition this could be used as initial informations for further attacks against Graylog.