Some internal APIs in the Web application bypass ACLs
Package
rudder-server
(rudder)
Affected versions
>= 7.3.0, < 7.3.5
< 7.2.10
Patched versions
7.3.5
7.2.10
rudder-webapp
(rudder)
*
None
Impact
Several APIs are affected:
/secure/api/sharedfile/*
and/secure/api/resourceExplorer/*
/secure/api/apiaccounts/*
/secure/api/eventlog/*
/secure/api/completion/*
Accessing these API requires a valid Rudder account, but no specific rights, meaning that a user with no or read-only rights can use them, and take control of the infrastructure (either by creating a privileges token, or chaining with GHSA-jjfq-p8xw-53g2).
Only actual user accounts are affected, not standalone API tokens.
Patches
Workarounds
None.
References