Uploaded image for project: 'Camunda Optimize'
  1. Camunda Optimize
  2. OPT-6588

Error messages leak implementation details to the requestor

XMLWordPrintable

    • Not defined

      Brief summary of the bug. What is it ? Where is it ?

      As reported in https://jira.camunda.com/browse/SEC-186, there are cases where Optimize leaks information on error messages. While this is not new, there is a chance that these messages contain information that allows attackers to exploit Optimize in other ways. This might be something we can handle with better error handling in the backend, that prevents implementation details being leaked in the error messages.

      Steps to reproduce:

      Actual result:

      Make a request to /api/collection/collectionId/role/userId

      Make the body contain an unsupported role, such as "admin". Observe the error message as per the attached screenshot

      Expected result:

      The error message should not include information about internal classes or other implementation details

        This is the controller panel for Smart Panels app

            [OPT-6588] Error messages leak implementation details to the requestor

            Joshua Windels created issue -
            Joshua Windels made changes -
            Link New: This issue is related to SEC-186 [ SEC-186 ]
            Joshua Windels made changes -
            Link New: This issue is duplicated by OPT-6593 [ OPT-6593 ]
            Joshua Windels made changes -
            Status Original: Triage [ 10612 ] New: Open [ 1 ]
            Joshua Windels made changes -
            Fix Version/s New: 3.11.0 [ 18496 ]
            Fix Version/s New: 3.10.4 [ 18491 ]

            Joshua Windels added a comment -

            This was fixed by default when we migrated to a Spring Boot application

            Joshua Windels added a comment - This was fixed by default when we migrated to a Spring Boot application
            Joshua Windels made changes -
            Resolution New: Fixed [ 1 ]
            Status Original: Open [ 1 ] New: Done [ 10010 ]

              Unassigned Unassigned
              joshua.windels Joshua Windels
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: