[SLING-10147] scripting variables implementation details are exposed to not authorized users - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: Scripting Core 2.3.6
Component/s: None
Labels:
None

Description

The ".SLING_availablebindings.json" selector is registered at /apps/sling/servlet/default and the usage on all resources is not protected by any security checks. The information returned contains implementation details that a regular user should not need to know and could be considered an "information disclosure" vulnerability.

Since this selector appears to only be used by the "Scripting Variables" webconsole plugin, I would expect that it should require the same security checking that would be needed to access the webconsole.

Attachments

Issue Links

is caused by

SLING-3543 Provide a Felix Web Console Tab exposing the available Scripting Variables

Closed

requires

FELIX-6390 Refactor the default authentication mechanism of the webconsole to be a WebConsoleSecurityProvider2

Closed

Activity

People

Assignee:: Eric Norman

Reporter:: Eric Norman

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 17/Feb/21 20:30

Updated:: 11/May/21 13:01

Resolved:: 26/Mar/21 18:24

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

10h 50m