Queue deletion via the HTTP API was not verifying the configure
permission of the user.
Users who had all of the following:
could delete queues it had no (deletion) permissions for.
Disable management plugin and use, for example, Prometheus and Grafana for monitoring.
OWASP Top10 A01:2021 – Broken Access Control
{ "nvd_published_at": "2024-11-06T20:15:06Z", "cwe_ids": [ "CWE-284" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-11-06T19:55:13Z" }