Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update 5.6.0 #5669

Merged
merged 1 commit into from
Oct 25, 2024
Merged

Update 5.6.0 #5669

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 0 additions & 35 deletions tyk-docs/content/product-stack/tyk-dashboard/release-notes/version-5.6.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -275,41 +275,6 @@ We have fixed an issue in the Monitoring section of the Dashboard UI where the *

</ul>

#### Security Fixes
<!-- This section should be a bullet point list that should be included when any security fixes have been made in the release, e.g. CVEs. For CVE fixes, consideration needs to be made as follows:
1. Dependency-tracked CVEs - External-tracked CVEs should be included on the release note.
2. Internal scanned CVEs - Refer to the relevant engineering and delivery policy.
For agreed CVE security fixes, provide a link to the corresponding entry on the NIST website. For example:
- Fixed the following CVEs:
- [CVE-2022-33082](https://nvd.nist.gov/vuln/detail/CVE-2022-33082)
-->
<ul>
<li>
<details>
<summary>Strengthened RBAC password reset permissions</summary>

We have fixed a privilege escalation vulnerability where a user with certain permissions could potentially reset other users' passwords, including admin accounts. The following changes have been made to tighten the behavior of the password reset permission:
- All users can reset their own passwords
- A specific permission is required to reset the password of another user within the same Tyk organization
- This permission can only be assigned by an admin or super-admin
- This permission can only be assigned to an admin and cannot be assigned to a user group
- The allow_admin_reset_password configuration option automatically grants this permission to all admin users
- Super-admins always have the password reset permission across all Tyk organization

</details>
</li>

<li>
<details>
<summary>Gateway secret could be exposed in debug logs</summary>

Resolved an issue where the Gateway secret was inadvertently included in the log generated by the Dashboard for a call to the `/api/keys` endpoint when in debug mode. This issue has been fixed to prevent sensitive information from appearing in system logs. We do not recommend running production environments in debug mode.

</details>
</li>


</ul>
<!-- Required. use 3 hyphens --- between release notes of every patch (minors will be on a separate page) -->

---
Expand Down
Loading