GHSA-J94P-HV25-RM5G

Vulnerability from github – Published: 2023-01-03 12:28 – Updated: 2023-01-03 12:28
VLAI
Summary
Apiman has potential permissions bypass
Details

Impact

Incorrect default permissions for certain read-only resources in the Apiman 1.5.7.Final through 2.2.3.Final in the Apiman Manager REST API allows a remote authenticated attacker to access information and resources in an Apiman Organizations they are not a member of and/or do not have permissions for.

For example, an attacker may be able to craft an HTTP request to discover APIs that are private to organizations they are not members of, via fuzzing, search, and other similar mechanisms.

If the attacker has sufficient permissions in their own organization, they may also be able to sign up to the private APIs they have discovered by crafting a tailored HTTP request, thereby gaining access to an API Management protected resource that they should have access to.

  • A malicious account-holder may be able to see information about APIs they do not have permission for.

  • A malicious account-holder may be able to sign up to APIs they do not have permission for, and hence access API Management-protected resources they are not authorized to access.

  • This does NOT relate to the Apiman Gateway.

Patches

  • Upgrade to Apiman 3.0.0.Final (or later). The issue is fixed in this version.

  • If you are using an older version of Apiman, contact to your Apiman support provider for advice/long-term support.

References

  • https://www.apiman.io/blog/permissions-bypass-disclosure/
  • https://github.com/advisories/GHSA-54r5-wr8x-x5v3
  • https://nvd.nist.gov/vuln/detail/CVE-2022-47551
  • https://github.com/orgs/apiman/discussions/2409
Severity
7.1 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.2.3.Final"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "io.apiman:apiman-manager-api-rest-impl"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.5.7"
            },
            {
              "fixed": "3.0.0.Final"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-47551"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-03T12:28:06Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\n\nIncorrect default permissions for certain read-only resources in the Apiman 1.5.7.Final through 2.2.3.Final in the Apiman Manager REST API allows a remote authenticated attacker to access information and resources in an Apiman Organizations they are not a member of and/or do not have permissions for.\n\nFor example, an attacker may be able to craft an HTTP request to discover APIs that are private to organizations they are not members of, via fuzzing, search, and other similar mechanisms.\n\nIf the attacker has sufficient permissions in their own organization, they may also be able to sign up to the private APIs they have discovered by crafting a tailored HTTP request, thereby gaining access to an API Management protected resource that they should have access to.\n\n* A malicious account-holder may be able to see information about APIs they do not have permission for.\n\n* A malicious account-holder may be able to sign up to APIs they do not have permission for, and hence access API Management-protected resources they are not authorized to access.\n\n* This does NOT relate to the Apiman Gateway.\n\n### Patches\n\n* Upgrade to Apiman 3.0.0.Final (or later). The issue is fixed in this version.\n\n* If you are using an older version of Apiman, contact to your [Apiman support provider](https://www.apiman.io/support.html) for advice/long-term support.\n\n### References\n\n* https://www.apiman.io/blog/permissions-bypass-disclosure/\n* https://github.com/advisories/GHSA-54r5-wr8x-x5v3\n* https://nvd.nist.gov/vuln/detail/CVE-2022-47551\n* https://github.com/orgs/apiman/discussions/2409\n",
  "id": "GHSA-j94p-hv25-rm5g",
  "modified": "2023-01-03T12:28:06Z",
  "published": "2023-01-03T12:28:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/apiman/apiman/security/advisories/GHSA-j94p-hv25-rm5g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47551"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-54r5-wr8x-x5v3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apiman/apiman"
    },
    {
      "type": "WEB",
      "url": "https://github.com/orgs/apiman/discussions/2409"
    },
    {
      "type": "WEB",
      "url": "https://www.apiman.io/blog/permissions-bypass-disclosure"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apiman has potential permissions bypass"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.