Survey Aggregate Metrics Accessible to Unauthorized Users
Package
WB.UI.Headquarters.dll
(Headquarters)
Affected versions
<=21.09
Patched versions
21.09.1
Description
|
It should be possible to mitigate issue without rebuilding of a container. Pass environment variable `HQ_Metrics__UseMetricsEndpoint=false` when running container
|
Impact
Headquarters application publishes /metrics endpoint available to any user.
None of the survey answers are ever exposed, only the aggregate counters, including count of interviews, or count of assignments.
Patches
Starting from version 21.09.1 the endpoint is turned off by default.
Workarounds
Locate the following line in Survey Solutions\Site\appsettings.ini file and modify value from
truetofalse:UseMetricsEndpoint = trueThen restart the application.