As potential workarounds, users may install and configure a rate-limiting proxy in front of Kiwi TCMS and/or configure rate limits on their email server when possible. Users should upgrade to v12.0 or later to receive a patch. Additionally that may strain SMTP resources. An attacker could potentially send a large number of emails if they know the email addresses of users in Kiwi TCMS. This makes it easier to attempt denial-of-service attacks against the Password reset page. Kiwi TCMS, an open source test management system, does not impose rate limits in versions prior to 12.0. This vulnerability was discovered and reported by the GitHub Security lab and is tracked as GHSL-2022-076. As a result attackers may be able to reroute a request from originating from the frontend proxy to any other server and return the result. It has been discovered that the proxy does not adequately construct the URL when forwarding data to GMS, allowing external users to reroute requests from the DataHub Frontend to any arbitrary hosts. The goal of this proxy is to perform authentication if needed and forward HTTP requests to the DataHub Metadata Store (GMS).
The DataHub frontend acts as a proxy able to forward any REST or GraphQL requests to the backend. (2.) Sanitize to the value of `search_history` cookie after base64 decoding it.ĭataHub is an open-source metadata platform. If users are unable to upgrade immediately, the following workarounds may be applied: (1.) Use a proxy to always drop the `search_history` cookie until upgraded. This issue is patched with commit id 5ae9ca83b73.
If it is known that the database was modified, a full restoration of data is possible by performing a full database wipe and performing full update of all components. On the database, only public data is stored, so there is no confidentiality issues to site users. A proof of concept malformed cookie was generated that wiped the database or changed it's content. As a result, any user can modify the browser's cookie value and inject most SQL queries. These are string loaded directly into the SQL query with `atom = '%s'` format string. If the user selects (in user preferences) the "Recently Visited Packages" view for the index page, the value of the `search_history` cookie is used as a base64 encoded comma separated list of atoms. Versions prior to 1.0.1 are vulnerable to SQL Injection, leading to a Denial of Service.
0 kommentar(er)
