Project: Snowplow Mini
Vulnerability: Access to unsecured endpoint showing collected data
Description:
The Snowplow Mini project provides a simplified version of a full pipeline for testing and evaluation purposes.
Following the announcement of a vulnerability in Snowplow Minis, communicated on October 28th, we have conducted a thorough review of the Mini ecosystem. This review has surfaced other endpoints that are not secured via our basic authentication rules, so visitors are not challenged for a username and password.
Impact:
If you’re using Mini for testing purposes as designed and are not storing user data, the risk of this vulnerability is minimal. If you are using Mini to collect user data, we advise that you upgrade immediately.
Solutions:
We have released version 0.6.4 with a fix for this issue.
You can find steps to update to 0.6.4 at the links below: