kelseyhightower
Security issue: Unauthorized copy of default-config to startup-config via REST API in version 8.0.13
After upgrading to confd version 8.0.13, users without admission permissions are able to copy default-config to startup-config through the REST API. This presents a security risk as unauthorized users should not have the ability to perform this action.
Steps to reproduce:
- Upgrade to confd version 8.0.13
- Attempt to copy
default-configtostartup-configvia the REST API as a user without admission permissions
Expected behavior: The operation should be denied for users without admission permissions.
Actual behavior: The operation is allowed even without the required permissions.
Impact: Users without proper permissions can modify configuration, which may lead to security risks.
Please investigate and address this issue.
Logs:
[root@orro-bne3-slx1]# curl -v -u user:password -d '
- Trying 10.152.3.145...
- TCP_NODELAY set
- Connected to 10.152.3.145 (10.152.3.145) port 80 (#0)
- Server auth using Basic with user 'user'
POST /rest/operations/bna-config-cmd HTTP/1.1 Host: 10.152.3.145 Authorization: Basic dXNlcjpwYXNzd29yZA== User-Agent: curl/7.61.0 Accept: / Content-Length: 85 Content-Type: application/x-www-form-urlencoded
- upload completely sent off: 85 out of 85 bytes < HTTP/1.1 200 OK < Date: Fri, 08 Aug 2025 16:58:04 GMT < Server: SLX-OS WWW < Authentication-Token: O2gzOFhiaklJSENaY21gMEhKY0xgRG84W3N7WVY8Xkk= < Cache-Control: private, no-cache, must-revalidate, proxy-revalidate < Content-Length: 120 < Content-Type: application/vnd.yang.operation+xml < Pragma: no-cache < Content-Security-Policy: default-src 'self'; block-all-mixed-content; base-uri 'self'; frame-ancestors 'none'; < Strict-Transport-Security: max-age=15552000; includeSubDomains < X-Content-Type-Options: nosniff < X-Frame-Options: DENY < X-XSS-Protection: 1; mode=block < X-Forwarded-Proto: http <
- Connection #0 to host 10.152.3.145 left intact [root@orro-bne3-slx1]#
