-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
/_status/vars is world readable #50126
Comments
Hello, I am Blathers. I am here to help you get the issue triaged. Hoot - a bug! Though bugs are the bane of my existence, rest assured the wretched thing will get the best of care here. I have CC'd a few people who may be able to assist you:
If we have not gotten back to your issue within a few business days, you can try the following:
🦉 Hoot! I am a Blathers, a bot for CockroachDB. My owner is otan. |
@knz Sending this your way since I know you addressed similar security concerns in v20.1. Was this endpoint ever discussed during that work? |
Yes it was considered that the information exposed this way was not sensitive. @korpa FYI there are multiple HTTP endpoints that are similarly world-readable. We always recommend suitable proxying / firewalling for best security. |
@knz Ok. Thank you very much. But then it should be mentioned on https://www.cockroachlabs.com/docs/stable/security-overview.html and maybe on https://www.cockroachlabs.com/docs/stable/recommended-production-settings.html |
@taroface can you lift this issue into a doc project? |
Superseded by #50472 |
Describe the problem
Spin up a secure cluster with cli parameters
To Reproduce
goto https://[ip]:8080/_status/vars
Expected behavior
or
or
Additional data / screenshots
Environment:
Additional context
The text was updated successfully, but these errors were encountered: