Werk #9554: Use POST for starting backup restore job

Component Firmware
Title Use POST for starting backup restore job
Date Nov 24, 2023
Level Trivial Change
Class Bug Fix
Compatibility Compatible - no manual interaction needed
Appliance Version 1.6.9 1.7.0

When restoring a backup the passphrase is submitted. The form used the GET method so the passphrase was logged to the apache access log.

We found this vulnerability internally.

Indicators of Compromise: Check /var/log/apache2/access.log for occurences of passphrase

Vulnerability Management: We have rated the issue with a CVSS Score of 3.3 (Low) with the following CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. We assigned CVE-2023-6287 to this vulnerability.

Changes: With this Werk the method is changed to POST so it will no longer be logged.

To the list of all Werks