Improper access control in API Gateway and API Manager - #VU74264

 

Improper access control in API Gateway and API Manager - #VU74264

Published: March 31, 2023


Vulnerability identifier: #VU74264
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Axway
Affected software:
API Gateway
API Manager

Detailed vulnerability description

The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions when "api.manager.orgadmin.selfservice.enabled" system property is set to "true". An organization administrator can see APIs that belong to other organizations.


Remediation

Install updates from vendor's website.

Sources