[jira] [Updated] (HBASE-25403) Cookie and Referrer policy vulnerabilities reported by scanner tool

Wed, 16 Dec 2020 09:18:08 -0800 


     [ 
https://issues.apache.org/jira/browse/HBASE-25403?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Akshay Sudheer updated HBASE-25403:
-----------------------------------
    Description: 
Vulnerability scanner has reported the following:

1.Cookies with missing, inconsistent or contradictory properties i)cookie 
without SameSite attribute
 * https://<rs-ip>:<rs-port>/region.jsp

Remediation: To ensure that the cookies configuration complies with the 
applicable standards, Setting Same-Site attribute to Set-Cookie HTTP response 
header

Plan: Make Same-Site Configurable

 

2.Insecure Referrer Policy

URLs where Referrer policy configuration is insecure:
 * https://<rs-ip>:<rs-port>/rs-status
 * https://<rs-ip>:<rs-port>/region.jsp
 * https://<rs-ip>:<rs-port>/
 * https://<rs-ip>:<rs-port>/conf
 * https://<rs-ip>:<rs-port>/logLevel
 * https://<rs-ip>:<rs-port>/logs/

Remediation: Consider setting Referrer-Policy header to 
'strict-origin-when-cross-origin' or a stricter value

Plan: Make Referrer-Policy header Configurable.

  was:
Vulnerability scanner has reported the following:

1.Cookies with missing, inconsistent or contradictory properties i)cookie 
without SameSite attribute

Remediation: To ensure that the cookies configuration complies with the 
applicable standards, Setting Same-Site attribute to Set-Cookie HTTP response 
header

Plan: Make Same-Site Configurable

 

2.Insecure Referrer Policy

Remediation: Consider setting Referrer-Policy header to 
'strict-origin-when-cross-origin' or a stricter value

Plan: Make Referrer-Policy header Configurable.


> Cookie and Referrer policy vulnerabilities reported by scanner tool
> -------------------------------------------------------------------
>
>                 Key: HBASE-25403
>                 URL: https://issues.apache.org/jira/browse/HBASE-25403
>             Project: HBase
>          Issue Type: Bug
>          Components: REST
>            Reporter: Akshay Sudheer
>            Priority: Minor
>
> Vulnerability scanner has reported the following:
> 1.Cookies with missing, inconsistent or contradictory properties i)cookie 
> without SameSite attribute
>  * https://<rs-ip>:<rs-port>/region.jsp
> Remediation: To ensure that the cookies configuration complies with the 
> applicable standards, Setting Same-Site attribute to Set-Cookie HTTP response 
> header
> Plan: Make Same-Site Configurable
>  
> 2.Insecure Referrer Policy
> URLs where Referrer policy configuration is insecure:
>  * https://<rs-ip>:<rs-port>/rs-status
>  * https://<rs-ip>:<rs-port>/region.jsp
>  * https://<rs-ip>:<rs-port>/
>  * https://<rs-ip>:<rs-port>/conf
>  * https://<rs-ip>:<rs-port>/logLevel
>  * https://<rs-ip>:<rs-port>/logs/
> Remediation: Consider setting Referrer-Policy header to 
> 'strict-origin-when-cross-origin' or a stricter value
> Plan: Make Referrer-Policy header Configurable.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to