Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Node rescans possible in WebUI with ROLE_USER

Description

On the node page (element/node.jsp), the link for starting a "Rescan" is only visible for admin users (ROLE_ADMIN). If I login as a normal user (ROLE_USER only), the link is hidden, but it is possible to start a rescan by manually open the page element/rescan.jsp?node=<ID>.

This can be solved by adding the following line to applicationContext-spring-security.xml

<intercept-url pattern="/element/rescan.jsp" access="ROLE_ADMIN" />

Acceptance / Success Criteria

None

Lucidchart Diagrams

Activity

Show:

Gabriela Lopez January 31, 2023 at 7:15 PM

Information Security risk assessed item as low.

CVSS 3.8 x low likelihood .5 = 1.9 Low

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C/CR:H/IR:H/AR:H/MAV:A/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X

Benjamin Reed June 9, 2016 at 2:06 PM

Fixed in foundation-2016, cherry-picked to Meridian release-2016.1.0.

Fixed

Details

Assignee

Reporter

Labels

Components

Fix versions

Affects versions

Priority

PagerDuty

Created February 12, 2016 at 8:04 AM
Updated January 31, 2023 at 7:15 PM
Resolved June 9, 2016 at 2:06 PM

Flag notifications