Uploaded image for project: 'OpenNMS'
  1. OpenNMS
  2. NMS-5184

Any authenticated user can use the snmpConfig ReST service

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 1.8.17, 1.10.0
    • Fix Version/s: 1.10.1
    • Component/s: REST
    • Security Level: Default (Default Security Scheme)
    • Labels:

      Description

      The snmpConfig ReST service will happily give up the SNMP configuration data, including community strings (but happily not USM credentials) for a particular IP address. This fact breaks with a long-standing policy of the SNMP configuration being a "trap door" into which only admin users can put stuff and from which no user (not even an admin) can retrieve stuff except by virtue of having an operating system account on the OpenNMS server. Also, it appears that even non-admin users are allowed to do a PUT to this service, which should not be the case. At minimum I think ROLE_ADMIN should be required for a user to GET or PUT to this service.

        Attachments

          Activity

            People

            • Assignee:
              seth Seth Leger
              Reporter:
              jeffg Jeff Gehlbach
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: