As part of a proactive security audit, we discovered and corrected the following vulnerabilities. We recommend all self-hosted installations of Humio update to the latest security release.
Insecure direct object reference
Status: Fixed in Humio 1.10
Classification: Medium
Fixed an issue that would allow an authenticated user to see information of other users by knowing the userID of the user. We found no evidence that this exploit have been utilized on our cloud.
UI Clickjacking made it possible to read an API Token
Status: Fixed in Humio 1.10
Classification: Medium
Fixed an issue that would make it possible for a hacker to craft an external webpage that would make it possible to steal a Humio API token when visiting the webpage and clicking a link on that webpage. This is relatively difficult to make happen and it requires that a user is authenticated in Humio when visiting the webpage, we decided to fix it regardless.
Denial of service using insecure deserialization of XML
Status: Fixed in Humio 1.10
Classification: Medium
Fixed an issue related to insecure deserialization of XML in our Parsers and xml:prettyPrint() function. The issue would have made it possible for an authenticated user to craft a XML payload that would exhaust the node responsible for reading the payload. We found no evidence that this exploit have been utilized on our cloud.
Insecure deserialization of YAML
Status: Fixed in Humio 1.10 and 1.9.3
Classification: Medium
Fixed an issue related to insecure deserilization of YAML files in our Dashboard Template files. The issue would have made it possible for an authenticated user to craft a YAML file that when uploaded would exhaust the node responsible for reading the file. We found no evidence that this exploit have been utilized on our cloud.
Comments
0 comments
Please sign in to leave a comment.