Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-14886

Username disclosure for API keys via gem api_key API

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Duplicate
    • Affects Version/s: None
    • Fix Version/s: 5.6.0
    • Component/s: Security
    • Labels:
      None

      Description

      If you hit the api_key API with a valid key but the wrong username, you get back an error message with the right username. Given that you can use API tokens without the username this is only marginally a security issue, but could be used for footprinting to get a list of known username given their tokens.

      $  curl -u foo:AKCsomevalidtoken https://artifactory.internal/api/gems/gems-dev/api/v1/api_key.yaml
      {
        "errors" : [ {
          "status" : 401,
          "message" : "Bad authentication Key apiKey=AKCsomevalidtoken for user bar"
        } ]
      }
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                noahk Noah Kantrowitz
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: