Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Windmill Exposes Workspace Slack OAuth Client Secrets to Non-Admin Workspace Members
Vulnerability Description
Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Versions 1.634.6 and below allow non-admin users to obtain Slack OAuth client secrets, which should only be accessible to workspace administrators. The GET /api/w/{workspace}/workspaces/get_settings endpoint returns the slack_oauth_client_secret to any authenticated workspace member, regardless of their admin status. It is expected behavior for non-admin users see a redacted version of workspace settings, as some of them are necessary for the frontend to behave correctly even for non-admins. However, the Slack configuration should not be visible to non-admins. This is a legacy issue where the setting was stored as a plain value instead of using $variable indirection, and it was never added to the redaction logic. This issue has been fixed in version 1.635.0.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
Vulnerability Type
信息暴露
Vulnerability Title
WindMill 信息泄露漏洞
Vulnerability Description
WindMill是Lukasavicus个人开发者的一个免费的开源工具。用于控制 Python 中的作业执行。 WindMill 1.634.6及之前版本存在信息泄露漏洞,该漏洞源于非管理员用户可获取Slack OAuth客户端密钥,可能导致敏感信息泄露。
CVSS Information
N/A
Vulnerability Type
N/A