[NMS-8431] Security issue for all admin vaadin applications exposed as OSGI Service - The OpenNMS Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Resolved (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 14.0.0, Meridian-2015.1.0
Fix Version/s: 20.0.2, Meridian-2015.1.6, Meridian-2016.1.6
Component/s: OSGi, Web UI - General
Security Level: Default (Default Security Scheme)
Labels:
None

Sprint:
Horizon - July 5th, Horizon - July 12th, Horizon - July 26th

Description

Usually the Vaadin Applications are embedded as an iframe.
If you know the embedded url, you can get access to the application even if you are not authorized.

Example:
Login to demo.opennms.org with the demo user
Go to the following page: demo.opennms.org/opennms/osgi/jmx-config-tool

TADA you now have access to a restricted area.

Basically all osgi deployed applications are bridged AND accessible via /osgi/.

Attachments

Activity

People

Assignee:: Markus von Rüden

Reporter:: Markus von Rüden

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 17/May/16 3:36 AM

Updated:: 21/Sep/17 3:08 PM

Resolved:: 02/Aug/17 2:46 PM