Open Razniak opened 4 months ago
This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.
This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.
A user with low privileges - guest and limited guest, can display a list of defined Labels via the API, but according to the documentation he should not be able to do this. Also, the user may gain unauthorized access to the functionality adding users/groups to the project to carry out attacks enumeration. It is possible to carry out an attack by direct reference to an object using the API. Is this behavior also correct or should a user with low privileges be able to verify whether other users exist in the application via the API? A user with low privileges can also see the defined CVE allowlist via the API, which is only available at the administrator level.