Skip to content

Survey Aggregate Metrics Accessible to Unauthorized Users

Moderate
vavalomi published GHSA-6c7j-7jf3-9p3j Oct 4, 2021 · 1 comment

Package

WB.UI.Headquarters.dll (Headquarters)

Affected versions

<=21.09

Patched versions

21.09.1

Description

Impact

Headquarters application publishes /metrics endpoint available to any user.
None of the survey answers are ever exposed, only the aggregate counters, including count of interviews, or count of assignments.

Patches

Starting from version 21.09.1 the endpoint is turned off by default.

Workarounds

  • For Docker-based installations: pull the latest image and rebuild the container.
  • For Windows-based installations:
    Locate the following line in Survey Solutions\Site\appsettings.ini file and modify value from true to false:
    UseMetricsEndpoint = true
    Then restart the application.
@SlyNet
Copy link
Collaborator

SlyNet commented Oct 5, 2021

Severity

Moderate
5.3
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVE ID

CVE-2021-41123

Weaknesses