-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix data disclosure on organization endpoints (#4837)
- All users were able to request organizational details from any org, even if they were not a member (anymore). Now it will check if that user is a member of the org or not. - The `/organization/<uuid>/keys` endpoint returned also the private keys. This should not be the case. Also, according to the upstream server code the endpoint changed, but the clients do not seem to use it. I added it anyway just in case they will in the future. - Also require a valid login before being able to retreve those org keys. Upstream does not do this, but i see no reason why not. Fixes: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39925
- Loading branch information
Showing
2 changed files
with
37 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters