Hide/Protect NodeJS metrics
The TYPO3 Security Team received a report on exposed system details which could be hidden/protected. I've created this very issue since there is not actual exploit, no sensitive information is exposed.
If possible, this URL probably could be protected - either by corresponding authentication or network-based filters (IP/host).
Report
From: Remonsec <remonsec@gmail.com>
Date: Wed, 12 May 2021 14:40:25 +0600
Subject: Information Disclosure of Garbage Collection Cycle #14
Summary
Upon enumerating a subdomain content I found a directory that discloses the duration of the garbage collection cycles. I think that this information should be kept private because the public should not know information about the target application and how it operates or does its garbage collection process.
Vulnerable URL
https://notes.typo3.org/metrics
Reference
https://hackerone.com/reports/981796
Impact
This information may help attackers understand more things about the target application which may help in further investigation and exploitation.