Details

    • Benefit:
      Medium
    • Security:
      Yes
    • SLA:
      Not Applicable
    • Rank:
      0|i00sfz:
    • Damage Potential:
      9

      Description

      Walrus does not check authorization for the GetBucketLoggingStatus, SetBucketLoggingStatus and SetBucketVersioningStatus operations.

      Walrus authenticates the user but does not verify that the user is permitted to perform the operation on the bucket.

      I've only verified the SetBucketVersioningStatus issue, the others are from code review so may be incorrect (see WalrusManager)

        Gliffy Diagrams

          Attachments

          1.
          Obtain CVE Sub-task Closed Unassigned
           
          2.
          Create ESA Sub-task Closed Unassigned
           

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: