Headline
CVE-2023-29860: Unauthorized access existed in the Taier. Procedure · Issue #1003 · DTStack/Taier
An insecure permissions in /Taier/API/tenant/listTenant interface in DTStack Taier 1.3.0 allows attackers to view sensitive information via the getCookie method.
Search before asking
- I had searched in the issues and found no similar issues.
What happened
Taier unauthorized access holes exist in the login module, the vulnerability is the result of execution scheduling application getCookie method for passing parameters content not no check users belonging to this platform, to any user can access/Taier/API/tenant/listTenant interface to steal the tenant’s data within the application platform, And have access to all the sensitive information on the application form.
What you expected to happen
How to reproduce
tsx finds the getCookie method in init. TSX. It can be seen that the getCookie method does not verify whether the content of the passed parameter belongs to the user of this platform
Anything else
No response
Version
v1.3
Are you willing to submit PR?
- Yes I am willing to submit a PR!
Code of Conduct
- I agree to follow this project’s Code of Conduct
added authentication to intercept:mark it :) thx
You’re welcome.
Don’t close this issue any time soon.
You’re welcome. Don’t close this issue any time soon.
sure! We will close this ISSUE after solving this problem, and we also welcome any PR from you, whether it is docs, feat, bug fixed! At the same time, there may be more changes that need to be made to address this issue, and we need to arrange more time to sort out each API
bnyte added bug
Something isn’t working
and removed bug
Something isn’t working
labels
Apr 11, 2023