You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When a user logged off from the UI, a malicious user can send request with the existing cookie of the user. The admin UI still authenticate as a valid user.
Mainly in endpoint, http://trino-host:8080/ui/api/query , http://trino-host:8080/ui/api/cluster , http://trino-host:8080/ui/api/stats the malicious user can see the query details.
Even thought jwt Token is bind with Cookie and the the token Expiry time can be set as short-lived token. Still if an user logged off before that, it still an issue as malicious user can see the query details by hitting http://trino-host:8080/ui/api/query .
The text was updated successfully, but these errors were encountered:
When a user logged off from the UI, a malicious user can send request with the existing cookie of the user. The admin UI still authenticate as a valid user.
Mainly in endpoint, http://trino-host:8080/ui/api/query , http://trino-host:8080/ui/api/cluster , http://trino-host:8080/ui/api/stats the malicious user can see the query details.
Even thought jwt Token is bind with Cookie and the the token Expiry time can be set as short-lived token. Still if an user logged off before that, it still an issue as malicious user can see the query details by hitting http://trino-host:8080/ui/api/query .
The text was updated successfully, but these errors were encountered: