[MXS-6579] X-HTTP-Method-Override header allows a basic user to perform admin operations - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Blocker
Resolution: Fixed
Affects Version/s: 23.02.17, 23.08.13, 24.02.9, 25.01.6, 25.10.2
Fix Version/s: 23.02.18, 23.08.14, 24.02.10, 25.01.7, 25.10.3
Component/s: REST-API
Labels:
None

Description

Essentially allows a read-only REST-API user to perform write-operations. Authentication is still required.

This issue applies to MaxScale 25.10 only partially, as 25.10 authorizes against the effective HTTP method and not the "fake" one. 25.10 still uses the wrong method in some checks, e.g. it can be fooled to compare against admin_readonly_hosts when admin_readwrite_hosts would be correct.

Attachments

Activity

People

Assignee:: Esa Korhonen

Reporter:: Esa Korhonen

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 2026-06-05 08:07

Updated:: 2026-06-12 06:45

Resolved:: 2026-06-08 07:49

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.