Description
Impact
If sensitive information is included within the logs, any registry user would be able to see it.
Description
The logger service allowed registry users to view all system logs regardless of their specific registry, leading to potential exposure of sensitive information and system details. The absence of role-based access control for logs means that any registry user can gain insights into system operations, potentially aiding in further attacks.
The screenshot below shows two different registry users seeing the same logs.
Recommendation
It is recommended to separate the system functionality from the registry functionality specifically for log management. Additionally, it would be appropriate to restrict access to system logs to a different admin role, who would only review the system logs.
For registry logs, it is recommended to ensure that one registry can only view its logs, without seeing the logs of other registry users.
Location
• /admin/logs