Hello THREDDS users,
A security vulnerability has been reported for TDS 5, refreshingly not
related to logging: a validation error on the "filename" parameter in the
notebook service allows malevolent users to request files outside the TDS
content directory.
The bug has been fixed and a new snapshot of TDS 5.4 has been published
(see downloads <https://www.unidata.ucar.edu/downloads/tds/>).
Alternatively, you can turn off the notebook service, in lieu of upgrading,
by following the instructions here
<https://docs.unidata.ucar.edu/tds/current/userguide/customizing_tds_look_and_feel.html#enabledisable-notebook-service>
.
*Affected versions*
The bug was introduced in *TDS 5.0.0-beta9*, and exists in all versions of
TDS 5.x prior to today's release. Beta versions prior to and including TDS
5.0.0-beta8 were not affected.
*Upcoming releases*
We still plan to put out official releases of TDS 5.4 and 4.6.20 very soon.
We are aiming to do some backlogged bug-squashing prior to the release of
5.4, so keep an eye out for that release.
best,
THREDDS team
--
Hailey Johnson (she/her)
Software Engineer | THREDDS Developer
Unidata | UCAR Community Programs (UCP)
