We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Describe the bug: 1、登录处可以尝试链接系统环境可访问的数据库服务,并且没有访问次数限制和图片验证码校验,导致可以遍历访问地址address进行SSRF漏洞探测内部网络、数据库账号密码进行爆破弱密码等风险; 2、http://127.0.0.1:31018/api/v1/milvus/connect 接口处可以遍历address参数探测内部系统网络; 或者遍历username、password来尝试暴力破解系统账号密码;
修复建议: 1、此处建议增加图片验证码来校验链接操作,防范暴力破解遍历方式攻击; 2、建议校验address的地址范围,只允许链接特定的服务器; 3、此处账号密码建议加密后再传输。
Attu version: 2.4.0
Attu version:
The text was updated successfully, but these errors were encountered:
No branches or pull requests
Describe the bug:
1、登录处可以尝试链接系统环境可访问的数据库服务,并且没有访问次数限制和图片验证码校验,导致可以遍历访问地址address进行SSRF漏洞探测内部网络、数据库账号密码进行爆破弱密码等风险;
2、http://127.0.0.1:31018/api/v1/milvus/connect 接口处可以遍历address参数探测内部系统网络; 或者遍历username、password来尝试暴力破解系统账号密码;
修复建议:
1、此处建议增加图片验证码来校验链接操作,防范暴力破解遍历方式攻击;
2、建议校验address的地址范围,只允许链接特定的服务器;
3、此处账号密码建议加密后再传输。
Attu version:
2.4.0
Attu version:
The text was updated successfully, but these errors were encountered: