Описание
lakeFS affected by unauthenticated access to API usage metrics
Impact
Missing authentication in the /api/v1/usage-report/summary endpoint allows anyone to retrieve aggregate API usage counts. While no sensitive data is disclosed, the endpoint may reveal information about service activity or uptime.
Patches
Upgrade to >v1.70.1
Workarounds
Any ONE of these is sufficient to block this reporting:
- Disable usage reporting by setting configuration option
usage_report.enabledor environment variableLAKEFS_USAGE_REPORT_ENABLEDtofalse. - Using load-balancer or application level firewall - blocking the request route /api/v1/usage-report/summary.
Пакеты
github.com/treeverse/lakefs
< 1.71.0
1.71.0
Связанные уязвимости
lakeFS is an open-source tool that transforms object storage into a Git-like repositories. In versions 1.69.0 and below, missing authentication in the /api/v1/usage-report/summary endpoint allows anyone to retrieve aggregate API usage counts. While no sensitive data is disclosed, the endpoint may reveal information about service activity or uptime. This issue is fixed in version 1.71.0 . To workaround the vulnerability, use a load-balancer or application level firewall in order to block the request route /api/v1/usage-report/summary.