Impact
A user can see vulnerable endpoints and details about their findings in a report, when he is not autorized for these products.
A user can see products, product types and details about their findings in metrics reports, when he is not autorized for these products.
This information about products and findings should only be revealed, when a user is explicitly allowed seen them or he is set as staff or superuser.
Similar data leakage could occur due to Django caching metrics globally instead of per user.
CWE
CWE-200 Disclosure of Sensitive Information.
Fix
Affected reports / queries / pages have been adjusted to only show data related to authorized products and product types.
Caching of metrics has been configured to cache "per user" (vary_on_cookie).
For more information
If you have any questions or comments about this advisory:
Please see our security policy for more information. Disclose responsibly any vulnerabilities that you may find.
StefanFl Analyst
Impact
A user can see vulnerable endpoints and details about their findings in a report, when he is not autorized for these products.
A user can see products, product types and details about their findings in metrics reports, when he is not autorized for these products.
This information about products and findings should only be revealed, when a user is explicitly allowed seen them or he is set as staff or superuser.
Similar data leakage could occur due to Django caching metrics globally instead of per user.
CWE
CWE-200 Disclosure of Sensitive Information.
Fix
Affected reports / queries / pages have been adjusted to only show data related to authorized products and product types.
Caching of metrics has been configured to cache "per user" (vary_on_cookie).
For more information
If you have any questions or comments about this advisory:
Please see our security policy for more information. Disclose responsibly any vulnerabilities that you may find.