Impact
rucio-webui installations of the 1.26 release line potentially leak the contents of cookies to other sessions within a wsgi container. Impact is that Rucio authentication tokens are leaked to other users accessing the webui within a close timeframe, thus allowing users to access the webui with the leaked authentication token. Privileges are therefore also escalated.
Rucio server / daemons are not affected by this issue, it is isolated to the webui.
Patches
This issue is fixed in the 1.26.7 release of the rucio-webui.
Workarounds
Installation of the 1.25.7 webui release. The 1.25 and previous webui release lines are not affected by this issue.
References
rucio/rucio#4928
References
tdunlap607 Analyst
Impact
rucio-webuiinstallations of the1.26release line potentially leak the contents of cookies to other sessions within a wsgi container. Impact is that Rucio authentication tokens are leaked to other users accessing thewebuiwithin a close timeframe, thus allowing users to access thewebuiwith the leaked authentication token. Privileges are therefore also escalated.Rucio server / daemons are not affected by this issue, it is isolated to the webui.
Patches
This issue is fixed in the
1.26.7release of therucio-webui.Workarounds
Installation of the
1.25.7webuirelease. The1.25and previous webui release lines are not affected by this issue.References
rucio/rucio#4928
References