Title
#fleet
n

Nacho Rivera

10/13/2021, 2:54 PM
Hi, carrying out some security checks into fleet v:3.13 we realized session management once logged is not well handled regarding some features. For example, using a non-privileged account it was possible not only to check the content returned by /settings/osquery URI but also change it.  As non-priv user from web UI that information was not accesible, but using an intermediate proxy it could be seen that server responses included that content
Tomas Touceda

Tomas Touceda

10/13/2021, 2:56 PM
hi Nacho, thank you for looking into this! 3.13 is a pretty old version, would you be able to update to the latest 4.4.1?
n

Nacho Rivera

10/13/2021, 2:58 PM
We have planned it, we checked that this not happen using new versions with RBAC implemented
2:58 PM
But we thought it would be interesting to share it
Tomas Touceda

Tomas Touceda

10/13/2021, 3:02 PM
it definitely is, thank you for sharing! let me know if I can be of any help with the upgrade
n

Nacho Rivera

10/13/2021, 3:03 PM
Thanks !!
j

Juan Alvarez

10/13/2021, 3:05 PM
i wonder what is the pace of the community when upgrading FleetDM? 3.13 does not seem pretty old to me as it was released 4 months ago 😄
Tomas Touceda

Tomas Touceda

10/13/2021, 3:29 PM
that's a fair point. Practically speaking, we're cutting patch releases for the latest minor version we've worked on. Usually people upgrade frequently, but we don't have specific numbers that I know of to back this up, just a feeling based on conversations