Users can access data via HTTP API without any authentication #15389
Labels
security
Everything related with security
Comments
|
Thanks @frank-dspeed 😄 , I had discussed more about this with @tennix offline, after #15137 we could solve a part of the problem when the user enable HTTPS, but maybe need more improvement to keep safe for user that didn't enable https or do more fine-grain control in http api later |
|
Looks like #12317 is more or less the same issue? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
According to tidb-ctl documentation https://github.com/pingcap/tidb-ctl/blob/master/doc/tidb-ctl.md, users can access data via tidb-server HTTP API without authentication. This is a security vulnerability.
If users expose TiDB HTTP API unintentionally, or even internal non-authorized users can access TiDB data without requiring TiDB's user and password.
CockroachDB has the same issue but fixed in newer versions https://www.cockroachlabs.com/docs/advisories/a42567.html
We might need to fix this too.
The text was updated successfully, but these errors were encountered: