- edited description
Potential security issue with detecting the remote host
Issue #7
closed
Currently SVG Cloud determines the baseUrl of the remote host by the provided parameters and not the JWT token.
Consequence: Somebody having access to a correctly registered client A might send a falsified requests asking for data of a different remote host B.
Likelihood: Negligible as all of the below has to be true
- Host A has to be correctly registered (which should only work for Confluence Cloud hosts).
- Somebody needs to have the possibility to falsify data coming from a Confluence Cloud host.
- For a data leak this person has to guess a valid attachment ID of host B.
Comments (2)
-
reporter -
reporter - changed status to closed
- Log in to comment