CVE-2023-50092

APIIDA API Gateway Manager for Broadcom Layer7 v2023.2 is vulnerable to Cross Site Scripting XSS...

PT-2024-13857 · Broadcom · Apiida Api Gateway Manager

Name of the Vulnerable Software and Affected Versions: APIIDA API Gateway Manager for Broadcom Layer7 version 2023.2 Description: The APIIDA API Gateway Manager for Broadcom Layer7 is affected by a Cross Site Scripting XSS issue. This allows for malicious scripts to be injected into the website,...

Denial Of Service (DoS)

@cubejs-backend/api-gateway is vulnerable to Denial Of Service DoS. The vulnerability exists in gateway.ts allowing an attacker to cause an application crash by submitting a crafted query...

@codefresh-io/cubejs-backend-server-core (>=0.30.77 <=0.30.83), @cubejs-backend-json-clone/server (=1.0.0) +16 more potentially affected by CVE-2023-50709 via @cubejs-backend/api-gateway (>=0.0.18 <=0.33.65)

@cubejs-backend/api-gateway NPM version =0.0.18, =0.30.77, =0.0.8, =0.0.7, =0.0.24, =0.10.0, =0.10.0, =0.32.28, =0.29.4, =1.0.0, =0.27.30, =0.30.61, =0.32.0, =0.33.8 and more Source cves: CVE-2023-50709 Source advisory: OSV:GHSA-9759-3276-G2PM...

Security Bulletin: IBM DataPower Gateway vulnerable to multiple issues in Node.js

Summary IBM has addressed the following CVEs that could affect the API Gateway Director, and in version 10.5. only the New UI Vulnerability Details CVEID:CVE-2023-30588 DESCRIPTION: Node.js is vulnerable to a denial of service, caused by invalid public key information in x509 certificates. By...

The vulnerabilities of the APIkit components, the HTTP connector, and the OAuth2 Provider integrated into the API Gateway environment of the Mule Runtime, allow attackers to gain unauthorized access to protected information.

The vulnerabilities of the APIkit components, the HTTP connector, and the OAuth2 Provider integrated into the API Gateway environment of Mule Runtime Mule are related to errors in processing the relative path to the restricted directory. Exploiting these vulnerabilities can allow an attacker to...

How to Implement a Secure API Gateway

As you rely more on APIs to connect microservices in modern applications, these APIs become a lucrative target for bad actors. Learn how an API gateway provides an extra layer of security, helping protect your systems and data from unauthorized access...

Google ESPv2 授权问题漏洞

Google ESPv2 is the U.S. Google Google, Inc. of a general-purpose L7 service agent . API management can be enabled for JSON/REST or gRPC API services. An authorization issue vulnerability exists in Google ESPv2 versions 2.20.0 to 2.42.0, which originates from an API client that can craft maliciou...

Consul Server Panic when Ingress and API Gateways Configured with Peering Connections

A vulnerability was identified in Consul and Consul Enterprise “Consul” an authenticated user with service:write permissions could trigger a workflow that causes Consul server and client agents to crash under certain circumstances. To exploit this vulnerability, an attacker requires access to an...

GHSA-WJ6X-HCC2-F32J Consul Server Panic when Ingress and API Gateways Configured with Peering Connections

A vulnerability was identified in Consul and Consul Enterprise “Consul” an authenticated user with service:write permissions could trigger a workflow that causes Consul server and client agents to crash under certain circumstances. To exploit this vulnerability, an attacker requires access to an...

Apache ShenYu Authorization Problem Vulnerability (CNVD-2023-23553)

Apache ShenYu is an asynchronous , high-performance , cross-language , responsive API gateway of the United States Apache Apache Foundation . An authorization issue vulnerability exists in Apache ShenYu versions prior to 2.5.1, which stems from improper privilege management and can be exploited b...

The vulnerability of the software for coordinating the operation of security systems and for managing real-time incident responses in Fortinet FortiSOAR is related to improper access control. This allows attackers to gain access to the API gateway.

The vulnerability of the software for coordinating the operation of security systems and for managing incident responses in real-time with Fortinet FortiSOAR is related to improper access control. Exploiting this vulnerability can allow a malicious actor, operating remotely, to gain access to the...

SQL Injection

cubejs-backend/api-gateway is vulnerable to SQL Injection attacks. A specifically crafted attack statement through the /v1/sql-runner endpoint allows a malicious authenticated user to inject and execute arbitrary SQL queries on the target system...

GHSA-6JQM-3C9G-PCH7 @cubejs-backend/api-gateway row level security bypass

Impact All authenticated Cube clients could bypass row-level security and run arbitrary SQL via the newly introduced /v1/sql-runner endpoint. Patches The change has been reverted in 0.31.24 Workarounds Upgrade to =0.31.24 or downgrade to =0.31.22 Post mortem As part of implementing the Cube Cloud...

Exploit for Authentication Bypass by Spoofing in Apache Apisix

POCs Collected POCs CVE-2022-24112 To create a test...

Security Bulletin: IBM DataPower Gateway potentially vulnerable to HTTP request smuggling

Summary These flaws have the potential to affect the API Gateway Sservice. IBM has addressed the CVEs Vulnerability Details CVEID: CVE-2022-32213 DESCRIPTION: Node.js is vulnerable to HTTP request smuggling, caused by the failure to correctly parse and validate Transfer-Encoding headers by the...

Evolution of API Security – A Practical Guide to Addressing API Threats in 2023

The kind of API security scenarios we witnessed today were never like this from the beginning of time. It has gone to extra lengths to become responsive and productive as it’s now. How was it in the beginning? What changes has it faced? What more can we expect in the future? If this is what bothe...

Wallarm extends AWS API security with the official Terraform module

Wallarm API Security solution is now available in AWS as an official Terraform module, with a full feature set including autoscaling groups, API Gateway connector, mirroring, and agentless out-of-band deployments. To address modern cloud-native threats, API security vendor Wallarm released extend...

Malicious Package

Overview @manomano-toolbox/api-gateway is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if...

CVE-2022-31041

Open Forms is an application for creating and publishing smart forms. Open Forms supports file uploads as one of the form field types. These fields can be configured to allow only certain file extensions to be uploaded by end users e.g. only PDF / Excel / .... The input validation of uploaded fil...