Skip to content
This repository has been archived by the owner on Jun 23, 2023. It is now read-only.
This repository has been archived by the owner on Jun 23, 2023. It is now read-only.

Version is publicly exposed #116

Open
Open
Version is publicly exposed#116
@nevets963

Description

@nevets963
nevets963
opened on Jan 16, 2022

Within the /ping endpoint (https://github.com/getumbrel/umbrel-manager/blob/master/routes/ping.js#L5), the version of the component is publicly exposed which could aid an attacker to quickly identify known vulnerabilities within a given Umbrel version.

e.g.
0.2.17 shown in
https://testnet.getumbrel.com/manager-api/ping

As far as I can tell, the version isn't display anywhere in the dashboard, just set within the Vue state:
https://github.com/getumbrel/umbrel-dashboard/blob/686ae71962870b737cf84b0805b466be88b28c6d/src/store/modules/system.js#L37

Proposed solution: add JWT auth or remove version no. from response.

The exact same issue exists for the middleware too: https://github.com/getumbrel/umbrel-middleware/blob/master/routes/ping.js#L5
Happy to open an issue within the repo too

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions