Skip to content
This repository has been archived by the owner on Jun 23, 2023. It is now read-only.

Version is publicly exposed #116

Open
nevets963 opened this issue Jan 16, 2022 · 0 comments
Open

Version is publicly exposed #116

nevets963 opened this issue Jan 16, 2022 · 0 comments

Comments

@nevets963
Copy link
Contributor

Within the /ping endpoint (https://github.com/getumbrel/umbrel-manager/blob/master/routes/ping.js#L5), the version of the component is publicly exposed which could aid an attacker to quickly identify known vulnerabilities within a given Umbrel version.

e.g.
0.2.17 shown in
https://testnet.getumbrel.com/manager-api/ping

As far as I can tell, the version isn't display anywhere in the dashboard, just set within the Vue state:
https://github.com/getumbrel/umbrel-dashboard/blob/686ae71962870b737cf84b0805b466be88b28c6d/src/store/modules/system.js#L37

Proposed solution: add JWT auth or remove version no. from response.

The exact same issue exists for the middleware too: https://github.com/getumbrel/umbrel-middleware/blob/master/routes/ping.js#L5
Happy to open an issue within the repo too
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Several cleanups nevets963/umbrel-manager
1 participant
@nevets963