Uploaded image for project: 'FOLIO'
  1. FOLIO
  2. FOLIO-2524

Security Audit raised issues

    XMLWordPrintable

Details

    • CP: sprint 86, CP: Roadmap backlog, CP: sprint 85
    • Core: Platform

    Description

      Title Related JIRA
      Lack of Authentication Checks on /_/proxy/* OKAPI-767
      Denial of Service Via CQL Queries FOLIO-2563
      HTTP Response Header Injection FOLIO-2564
      No Expiration on JSON Web Tokens FOLIO-2556
      Arbitrary URL Redirection in SAML Response MODLOGSAML-58
      Misleading Permission Set Configuration FOLIO-2565
      Cross-Site Request Forgery (CSRF) in SSO Flow MODLOGSAML-59
      User Enumeration Low TODO
      Denial of Service Through User Lockout Low TODO
      Server Headers Reveal Excessive Information Low TODO

      TestRail: Results

        Attachments

          Issue Links

            is blocked by

            Task - A task that needs to be done. FOLIO-2556 SPIKE: investigate refresh tokens support in FOLIO

            • P3 - low priority level, item will be considered for inclusion in the next dev cycle
            • Closed

            Task - A task that needs to be done. FOLIO-2563 SPIKE: propose prevention of DoS via CQL query

            • P2 - normal priority level, must be included in the current development cycle
            • Closed

            Task - A task that needs to be done. FOLIO-2564 investigate HTTP Response Header injection

            • P2 - normal priority level, must be included in the current development cycle
            • Closed

            Bug - A problem which impairs or prevents the functions of the product. FOLIO-2565 Misleading Permission Set Configuration

            • P2 - normal priority level, must be included in the current development cycle
            • Closed

            Task - A task that needs to be done. FOLIO-2578 Misleading Permission Set Configuration - Part 2

            • P2 - normal priority level, must be included in the current development cycle
            • Closed

            Bug - A problem which impairs or prevents the functions of the product. MODLOGSAML-58 Arbitrary URL Redirection in SAML Response

            • P2 - normal priority level, must be included in the current development cycle
            • Closed

            New Feature - New feature requests OKAPI-767 permissionsRequired required (securing APIs by default)

            • P3 - low priority level, item will be considered for inclusion in the next dev cycle
            • Closed

            Task - A task that needs to be done. RMB-617 Security audit of JsonSchemasAPI.java and RamlsAPI.java

            • P2 - normal priority level, must be included in the current development cycle
            • Open
            relates to

            New Feature - New feature requests FOLIO-1233 Implement refresh tokens

            • P3 - low priority level, item will be considered for inclusion in the next dev cycle
            • Closed

            Bug - A problem which impairs or prevents the functions of the product. MODLOGIN-128 It is possible to fetch password hashes for all users

            • P2 - normal priority level, must be included in the current development cycle
            • Closed

            New Feature - New feature requests RMB-534 Reject CQL queries that match no index in schema.json

            • P3 - low priority level, item will be considered for inclusion in the next dev cycle
            • Open

            Bug - A problem which impairs or prevents the functions of the product. MODLOGSAML-59 Umbrella: Cross-Site Request Forgery (CSRF) in SSO Flow

            • P2 - normal priority level, must be included in the current development cycle
            • Closed

            Activity

              People

                jakub Jakub Skoczen
                jakub Jakub Skoczen
                Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                  Created:
                  Updated:

                  TestRail: Runs

                    TestRail: Cases