Skip to content

Commit

Permalink
Update 5.6.0 (#5669)
Browse files Browse the repository at this point in the history
update

(cherry picked from commit b6949e1)
  • Loading branch information
Eopayemi authored and Tyk Bot committed Oct 25, 2024
1 parent 7a12f46 commit b036630
Showing 1 changed file with 0 additions and 35 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -275,41 +275,6 @@ We have fixed an issue in the Monitoring section of the Dashboard UI where the *
</ul>
#### Security Fixes
<!-- This section should be a bullet point list that should be included when any security fixes have been made in the release, e.g. CVEs. For CVE fixes, consideration needs to be made as follows:
1. Dependency-tracked CVEs - External-tracked CVEs should be included on the release note.
2. Internal scanned CVEs - Refer to the relevant engineering and delivery policy.
For agreed CVE security fixes, provide a link to the corresponding entry on the NIST website. For example:
- Fixed the following CVEs:
- [CVE-2022-33082](https://nvd.nist.gov/vuln/detail/CVE-2022-33082)
-->
<ul>
<li>
<details>
<summary>Strengthened RBAC password reset permissions</summary>
We have fixed a privilege escalation vulnerability where a user with certain permissions could potentially reset other users' passwords, including admin accounts. The following changes have been made to tighten the behavior of the password reset permission:
- All users can reset their own passwords
- A specific permission is required to reset the password of another user within the same Tyk organization
- This permission can only be assigned by an admin or super-admin
- This permission can only be assigned to an admin and cannot be assigned to a user group
- The allow_admin_reset_password configuration option automatically grants this permission to all admin users
- Super-admins always have the password reset permission across all Tyk organization
</details>
</li>
<li>
<details>
<summary>Gateway secret could be exposed in debug logs</summary>
Resolved an issue where the Gateway secret was inadvertently included in the log generated by the Dashboard for a call to the `/api/keys` endpoint when in debug mode. This issue has been fixed to prevent sensitive information from appearing in system logs. We do not recommend running production environments in debug mode.
</details>
</li>
</ul>
<!-- Required. use 3 hyphens --- between release notes of every patch (minors will be on a separate page) -->
---
Expand Down

0 comments on commit b036630

Please sign in to comment.