Описание
Authentication Bypass Using an Alternate Path or Channel and Authentication Bypass by Primary Weakness in rucio-webui
Impact
rucio-webui installations of the 1.26 release line potentially leak the contents of cookies to other sessions within a wsgi container. Impact is that Rucio authentication tokens are leaked to other users accessing the webui within a close timeframe, thus allowing users to access the webui with the leaked authentication token. Privileges are therefore also escalated.
Rucio server / daemons are not affected by this issue, it is isolated to the webui.
Patches
This issue is fixed in the 1.26.7 release of the rucio-webui.
Workarounds
Installation of the 1.25.7 webui release. The 1.25 and previous webui release lines are not affected by this issue.
References
Пакеты
rucio-webui
>= 1.26.0, < 1.26.7
1.26.7