apurde / svg-out-cloud / issues / #7 - Potential security issue with detecting the remote host — Bitbucket

Issue #7 closed

Andreas Purde repo owner created an issue 2017-09-20

Currently SVG Cloud determines the baseUrl of the remote host by the provided parameters and not the JWT token.

Consequence: Somebody having access to a correctly registered client A might send a falsified requests asking for data of a different remote host B.

Likelihood: Negligible as all of the below has to be true

Host A has to be correctly registered (which should only work for Confluence Cloud hosts).
Somebody needs to have the possibility to falsify data coming from a Confluence Cloud host.
For a data leak this person has to guess a valid attachment ID of host B.

Comments (2)

Andreas Purde reporter
- edited description
- 2017-09-20T12:36:11+00:00
Andreas Purde reporter
- changed status to closed
- 2017-09-20T12:43:51+00:00
Log in to comment

Assignee: Andreas Purde

Type: bug

Priority: minor

Status: closed

Votes: 0

Watchers: 1

Jira: the preferred issue tracker for Bitbucket. Join the team!