Uploaded image for project: 'Kudu'
  1. Kudu
  2. KUDU-1918

Prevent hijacking of scanners by other users

Agile BoardAttach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Duplicate
    • Affects Version/s: 1.3.0
    • Fix Version/s: n/a
    • Component/s: security, tserver
    • Labels:
      None

      Description

      Currently the UUIDs used for scanner IDs are using boost::uuid, which doesn't necessarily use a secure random source. If these turn out to be predictable, some attack around scanner hijacking might be possible. We should use an unpredictable source for scanner IDs, or save the original authenticated user in the Scanner and ensure that the authentication does not switch mid-scan.

        Attachments

        Issue Links

          Activity

            People

            • Assignee:
              tlipcon Todd Lipcon
              Reporter:
              tlipcon Todd Lipcon

              Dates

              • Created:
                Updated:
                Resolved:

                Issue deployment