Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Invalid system user credentials usage

Description

Steps to reproduce:

  1. get mod-data-export-spring system user username

  2. login with username (password is username as well)

 

Expected result:

No login, password is used from env variables (keep current one as default)

 

Actual result:

Login is successful

Additional information:

https://folio-org.atlassian.net/wiki/display/SEC/Hardcoded+System+User+Credentials

CSP Request Details

None

CSP Rejection Details

None

Potential Workaround

None

Checklist

hide

TestRail: Results

Activity

Show:

Mikita Siadykh July 27, 2023 at 11:30 AM

related issues are merged and verified on bugfest

Craig McNally July 13, 2023 at 3:42 PM

will coordinate with to provide details on the issue since the Security level of this prevents the team from seeing it.

Craig McNally July 13, 2023 at 3:39 PM

This constitutes a serious, easily exploitable vulnerability.  The Security team has assigned a priority of P1 to this and will be asking for the to be backported to Orchid and Nolana, possibly Morning Glory as well.

Done

Details

Assignee

Reporter

Labels

Priority

Story Points

Sprint

Development Team

Firebird

Fix versions

Release

Poppy (R2 2023)

RCA Group

Implementation coding issue

TestRail: Cases

Open TestRail: Cases

TestRail: Runs

Open TestRail: Runs
Created July 11, 2023 at 12:36 PM
Updated July 27, 2023 at 6:23 PM
Resolved July 27, 2023 at 11:30 AM
Configure
TestRail: Cases
TestRail: Runs

Flag notifications