PT-2025-45728 — Missing Authorization em Go Github.Com/Treeverse/Lakefs

PT-2025-45728 · Go · Github.Com/Treeverse/Lakefs

Publicado

2025-11-03

Atualizado

2025-11-03

CVSS v3.1

5.3

Média

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Impact

Missing authentication in the /api/v1/usage-report/summary endpoint allows anyone to retrieve aggregate API usage counts. While no sensitive data is disclosed, the endpoint may reveal information about service activity or uptime.

Patches

Upgrade to >v1.70.1

Workarounds

Any ONE of these is sufficient to block this reporting:

Disable usage reporting by setting configuration option usage report.enabled or environment variable LAKEFS USAGE REPORT ENABLED to false.
Using load-balancer or application level firewall - blocking the request route /api/v1/usage-report/summary.

Correção

Missing Authorization

Information Disclosure

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-862CWE-200

Identificadores relacionados

GHSA-H238-5MWF-8XW8

Produtos afetados

Github.Com/Treeverse/Lakefs