Ability to hide software version in UI #29119
Labels
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
CVSS 4.0 Score 2.1
We recently ran an IT Health check in our environment and this is one of the findings.
Can you please advise if it is possible to adjust the config so that it does not disclose information un-necessarily?
Finding
When you access the Vault login page it discloses the software version on the page
Information of this nature provides an insight into how the application has been built and the technologies being used, which could enable an attacker to direct subsequent attacks with greater efficiency, thus reducing the amount of time available to identify and mitigate any incoming attack.
The impact is considered medium as an attacker could use the disclosed information to research any attack vectors related to the version of software disclosed, however the likelihood is low as an attacker would require access to both the application and the environment.
Recommendation
It is recommended that all web application error messages are configured so that they do not disclose information unnecessarily. They should be as static as possible, containing only text such as "Sorry, there has been an error with the application. Please contact the system administrator if the problem persists".
Ideally, users should not be informed that an error has occurred; instead the application should continue to work as normal as this will reduce the likelihood of an attacker being able to enumerate the internal workings of the system. It should be noted, however, that this approach may cause a problem if a genuine bug is present in the system.
The text was updated successfully, but these errors were encountered: