CVE-2023-29860
Description
An insecure permissions in /Taier/API/tenant/listTenant interface in DTStack Taier 1.3.0 allows attackers to view sensitive information via the getCookie method.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
DTStack Taier 1.3.0 has insecure permissions in the /Taier/API/tenant/listTenant interface, allowing attackers to view sensitive tenant information via the getCookie method without proper authentication.
Vulnerability
DTStack Taier version 1.3.0 contains an insecure permissions vulnerability in the /Taier/API/tenant/listTenant interface. The getCookie method used for authentication does not verify whether the requesting user belongs to the platform, allowing unauthorized access to tenant data. [1]
Exploitation
An attacker can exploit this vulnerability by directly calling the /Taier/API/tenant/listTenant endpoint without needing valid credentials or belonging to the platform. The getCookie method fails to check the user's association with the application, enabling any user to retrieve tenant information. [1]
Impact
Successful exploitation results in the disclosure of sensitive tenant information, including potentially all data accessible via the application's tenant list. This constitutes a high-impact information disclosure vulnerability. [1]
Mitigation
As of the available references, no official fix or workaround has been published. Users are advised to monitor the vendor's repository for updates. The issue is reported in the Taier issue tracker [1] and a fix may be pending.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.