CVE-2023-28640

2023-03-2721:15:12

CWE-269

CWE-862

[email protected]

web.nvd.nist.gov

apiman

api management

unauthorized access

api keys

cve-2023-28640

security vulnerability

permissions check

6.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

4 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

21.0%

JSON

Apiman is a flexible and open source API Management platform. Due to a missing permissions check, an attacker with an authenticated Apiman Manager account may be able to gain access to API keys they do not have permission for if they correctly guess the URL, which includes Organisation ID, Client ID, and Client Version of the targeted non-permitted resource. While not trivial to exploit, it could be achieved by brute-forcing or guessing common names. Access to the non-permitted API Keys could allow use of other users’ resources without their permission (depending on the specifics of configuration, such as whether an API key is the only form of security). Apiman 3.1.0.Final resolved this issue. Users are advised to upgrade. The only known workaround is to restrict account access.

Affected configurations

Vulners

NVD

Node

apimanapimanRange<3.1.0.Final

VendorProductVersionCPE
apimanapiman*cpe:2.3:a:apiman:apiman:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
apiman	apiman	*	cpe:2.3:a:apiman:apiman::::::::

CNA Affected

[
  {
    "vendor": "apiman",
    "product": "apiman",
    "versions": [
      {
        "version": "< 3.1.0.Final",
        "status": "affected"
      }
    ]
  }
]