You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
can be considered critical because they offer world-wide read access to data that some people can consider sensitive, such as database names and installed addon names.
Not exactly fully critical, but can make some attacks easier.
Security patch will land in the scaffolding to protect these by default, by asking HTTP auth where you will have to know the odoo database user and the admin password to get read access there, getting benefit of recently landed feature in Traefik (traefik/traefik#1147).
It should only affect production.
The text was updated successfully, but these errors were encountered:
These paths include:
- `/web/database/*`
- `/website/info`
Defaults are to use the same user as the database user, and the same password as the odoo admin password, but there's actually nothing preventing you from changing that. Just play a bit with the labels.
Fix#49.
These paths:
/web/database/*
/website/info
can be considered critical because they offer world-wide read access to data that some people can consider sensitive, such as database names and installed addon names.
Not exactly fully critical, but can make some attacks easier.
Security patch will land in the scaffolding to protect these by default, by asking HTTP auth where you will have to know the odoo database user and the admin password to get read access there, getting benefit of recently landed feature in Traefik (traefik/traefik#1147).
It should only affect production.
The text was updated successfully, but these errors were encountered: