Ensure only team admins can list other users #5657
Labels
bug
Something isn't working as documented
~released bug
This bug was found in a stable release.
:reproduce
Involves documenting reproduction steps in the issue
~risk-reduction
Related to improvements that could help reduce risk of outages, security, privacy, or trust issues.
Goal
TODO
In the April 2022 pentest of Fleet, it was discovered that it is possible to enumerate users with
api/v1/fleet/users/<USERNUMBER>
. Due to error messages that differ between valid and invalid emails and the lack of throttling, an authenticated users could enumerate valid email addresses.This is a minor privacy issue, and we should address it by:
When ready to start working on this, let's discuss the exact implementation details.
The text was updated successfully, but these errors were encountered: