Invalid system user credentials usage

Description

Steps to reproduce:

get mod-remote-storage system user username
login with username (password is username as well)

Expected result:

No login, password is used from env variables (keep current one as default)

Actual result:

Additional information:

https://folio-org.atlassian.net/wiki/display/SEC/Hardcoded+System+User+Credentials

CSP Request Details

None

CSP Rejection Details

None

Potential Workaround

None

Linked issues

clones

MODEXPS-226

Invalid system user credentials usage

is defined by

MODRS-177

Security Remediation (Nolana) - July 2023

MODRS-175

Security Remediation (Orchid) - July 2023

Checklist

hide

TestRail: Results

Activity

Show:

Craig McNally July 13, 2023 at 3:42 PM

will coordinate with to provide details on the issue since the Security level of this prevents the team from seeing it.

Craig McNally July 13, 2023 at 3:39 PM

This constitutes a serious, easily exploitable vulnerability. The Security team has assigned a priority of P1 to this and will be asking for the to be backported to Orchid and Nolana, possibly Morning Glory as well.

Done

Details

Assignee

Julian Ladisch

Reporter

Mikita Siadykh

Labels

securitysecurity-reviewed

Priority

Development Team

Volaris

Release

Poppy (R2 2023)

RCA Group

TBD

TestRail: Cases

Open TestRail: Cases

TestRail: Runs

Open TestRail: Runs

Created July 11, 2023 at 12:36 PM

Updated July 27, 2023 at 3:28 PM

Resolved July 27, 2023 at 3:28 PM

Configure

TestRail: Cases

TestRail: Runs