RELEASED: Public: 2020-04-27
Security fixes
-
Missing permission check lead to SSRF in VMware Autoscaling Plugin (CTR-1293)
When using the Test Connection feature on the VMware Pools page, a missing permission check allowed a user without
CONFIGURE
permissions to call the validation endpoint, leading to a server-side request forgery (SSRF) vulnerability.With this fix, a permission has been added so users without
CONFIGURE
permission now get an authorization error when attempting to call the validation endpoint.