[HBASE-25403] Cookie and Referrer policy vulnerabilities reported by scanner tool - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: None
Fix Version/s: None
Component/s: REST
Labels:
None

Description

Vulnerability scanner has reported the following:

1.Cookies with missing, inconsistent or contradictory properties i)cookie without SameSite attribute

https://<rs-ip>:<rs-port>/region.jsp

Remediation: To ensure that the cookies configuration complies with the applicable standards, Setting Same-Site attribute to Set-Cookie HTTP response header

Plan: Make Same-Site Configurable

2.Insecure Referrer Policy

URLs where Referrer policy configuration is insecure:

https://<rs-ip>:<rs-port>/rs-status
https://<rs-ip>:<rs-port>/region.jsp
https://<rs-ip>:<rs-port>/
https://<rs-ip>:<rs-port>/conf
https://<rs-ip>:<rs-port>/logLevel
https://<rs-ip>:<rs-port>/logs/

Remediation: Consider setting Referrer-Policy header to 'strict-origin-when-cross-origin' or a stricter value

Plan: Make Referrer-Policy header Configurable.

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Akshay Sudheer

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 16/Dec/20 17:02

Updated:: 17/Dec/20 09:05