Uploaded image for project: 'Camunda Optimize'
  1. Camunda Optimize
  2. OPT-6588

Error messages leak implementation details to the requestor

    XMLWordPrintable

Details

    • Not defined

    Description

      Brief summary of the bug. What is it ? Where is it ?

      As reported in https://jira.camunda.com/browse/SEC-186, there are cases where Optimize leaks information on error messages. While this is not new, there is a chance that these messages contain information that allows attackers to exploit Optimize in other ways. This might be something we can handle with better error handling in the backend, that prevents implementation details being leaked in the error messages.

      Steps to reproduce:

      Actual result:

      Make a request to /api/collection/collectionId/role/userId

      Make the body contain an unsupported role, such as "admin". Observe the error message as per the attached screenshot

      Expected result:

      The error message should not include information about internal classes or other implementation details

      mgm-controller-panel

        This is the controller panel for Smart Panels app

        Attachments

          Activity

            People

              Unassigned Unassigned
              joshua.windels Joshua Windels
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Salesforce