Issue
CWE-284
The API v1 and v2 are lacking appropriate access controls.
Impact
Both APIs v1 and v2 allowed to retrieve findings, endpoints and other data for which a user was not authorized. The main endpoints affected are the ones to generate report, retrieval of notes, retrieval of endpoints as well as nested objects inside endpoints.
Patches
We have added additional authorization checks to fix this in APIv2. APIv1 being deprecated and disabled by default since 1.12.0, it shoud no longer be used. APIv1 has not been and will not be fixed. We recommend to all users to switch to APIv2 for continued support and security fixes, and to report bugs or missing features to the project.
Workarounds
- Disable untrusted users.
- Disable APIs. APIv1 is disabled by default since 1.12.0. APIv2 can be disabled by manually editing the configuration (not supported).
For more information
If you have any questions or comments about this advisory:
Issue
CWE-284
The API v1 and v2 are lacking appropriate access controls.
Impact
Both APIs v1 and v2 allowed to retrieve findings, endpoints and other data for which a user was not authorized. The main endpoints affected are the ones to generate report, retrieval of notes, retrieval of endpoints as well as nested objects inside endpoints.
Patches
We have added additional authorization checks to fix this in APIv2. APIv1 being deprecated and disabled by default since 1.12.0, it shoud no longer be used. APIv1 has not been and will not be fixed. We recommend to all users to switch to APIv2 for continued support and security fixes, and to report bugs or missing features to the project.
Workarounds
For more information
If you have any questions or comments about this advisory: