Hi, carrying out some security checks into fleet v:3.13 we realized session management once logged is not well handled regarding some features. For example, using a non-privileged account it was possible not only to check the content returned by /settings/osquery URI but also change it.  As non-priv user from web UI that information was not accesible, but using an intermediate proxy it could be seen that server responses included that content

hi Nacho, thank you for looking into this! 3.13 is a pretty old version, would you be able to update to the latest 4.4.1?

We have planned it, we checked that this not happen using new versions with RBAC implemented

it definitely is, thank you for sharing! let me know if I can be of any help with the upgrade

Thanks !!

i wonder what is the pace of the community when upgrading FleetDM? 3.13 does not seem pretty old to me as it was released 4 months ago :D

that's a fair point. Practically speaking, we're cutting patch releases for the latest minor version we've worked on. Usually people upgrade frequently, but we don't have specific numbers that I know of to back this up, just a feeling based on conversations