THREAT OPS › Threat News › [GHSA] GHSA-h4g2-xfmw-q2c9 (high) — Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enabled is unset
[GHSA] GHSA-h4g2-xfmw-q2c9 (high) — Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enabled is unset
GHSA-h4g2-xfmw-q2c9 Severity: high CVE: None
Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enabled is unset
### Summary A Clauster instance bound to a **non-loopback** address (e.g. `0.0.0.0` or a LAN IP) can serve the entire dashboard and its API **without any authentication** — even when the operator has configured a password — if `auth.enabled` is left a
MITRE ATT&CK techniques
- CredentialsT1589.001
Original source: https://github.com/advisories/GHSA-h4g2-xfmw-q2c9