[jira] [Updated] (HBASE-25407) list_regions make potential sensitive information disclosure

Viraj Jasani (Jira) Thu, 17 Dec 2020 22:50:06 -0800


     [ 
https://issues.apache.org/jira/browse/HBASE-25407?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Viraj Jasani updated HBASE-25407:
---------------------------------
    Fix Version/s: 2.4.1
                   2.5.0
                   2.3.4
                   2.2.7
                   1.7.0
                   3.0.0-alpha-1

> list_regions make potential sensitive information disclosure
> ------------------------------------------------------------
>
>                 Key: HBASE-25407
>                 URL: https://issues.apache.org/jira/browse/HBASE-25407
>             Project: HBase
>          Issue Type: Bug
>            Reporter: lujie
>            Priority: Critical
>             Fix For: 3.0.0-alpha-1, 1.7.0, 2.2.7, 2.3.4, 2.5.0, 2.4.1
>
>         Attachments: image-2020-12-18-13-00-20-126.png, 
> image-2020-12-18-13-07-00-777.png
>
>
> I found that I can get other users' region information which is not expected.
>   
>  For example i create a table as sysadmin, then I can read the region 
> information as user1.
>  !image-2020-12-18-13-00-20-126.png!
>   
>  I have found that list_regions is introduced by 
> https://issues.apache.org/jira/browse/HBASE-14925
>  
> we can also get the region info by rest  
>  
> !image-2020-12-18-13-07-00-777.png!
>  
> I am just confused about why there  is no ACL on the regions, because  i 
> think we expose more informaiton, we will be in more danger case, and even be 
> attacked by others. 
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (HBASE-25407) list_regions make potential sensitive information disclosure

Reply via email to