jaredjennings
commented
3 years ago The default admin password is hardcoded here. I searched for an issue about this and did not find one.
Open jaredjennings opened 3 years ago
jaredjennings
commented
3 years ago The default admin password is hardcoded here. I searched for an issue about this and did not find one.
jaredjennings
commented
3 years ago This is a design-level consideration in TheHive and Cortex. Database upgrades are accomplished using a button that shows up in the web UI after a software upgrade; no authentication is necessary to click it.
I'm going to leave this issue here for now, but I don't really expect any progress to happen anytime soon.
The initial admin password is hardcoded. This makes the app vulnerable by default. Within a Kubernetes cluster and using Helm, we can create a random initial admin password, and show how to get it in the NOTES, so security doesn't have to be sacrificed in this way.
Changes to TheHive entry point will be necessary, in order to catch an admin password thrown in from a Secret. I don't know of a TheHive issue about this yet.