Details
-
Type:
Incident report
-
Status: Closed
-
Priority:
Blocker
-
Resolution: Fixed
-
Affects Version/s: 1.9.0 (alpha)
-
Fix Version/s: None
-
Component/s: API (A)
-
Labels:None
-
Environment:rev 8369
Description
it seems that no permission limits are enforced when using api - logged in as monitoring access with read only access to single hostgroup, was able to access all configured hosts, all user information including password hashes etc