Security Bulletin: IBM DataPower Gateway vulnerable to multiple issues in Node.js

Summary IBM has addressed the following CVEs that could affect the API Gateway Director, and in version 10.5. only the New UI Vulnerability Details CVEID:CVE-2023-30588 DESCRIPTION: Node.js is vulnerable to a denial of service, caused by invalid public key information in x509 certificates. By...

How to Implement a Secure API Gateway

As you rely more on APIs to connect microservices in modern applications, these APIs become a lucrative target for bad actors. Learn how an API gateway provides an extra layer of security, helping protect your systems and data from unauthorized access...

Google ESPv2 授权问题漏洞

Google ESPv2 is the U.S. Google Google, Inc. of a general-purpose L7 service agent . API management can be enabled for JSON/REST or gRPC API services. An authorization issue vulnerability exists in Google ESPv2 versions 2.20.0 to 2.42.0, which originates from an API client that can craft maliciou...

GHSA-WJ6X-HCC2-F32J Consul Server Panic when Ingress and API Gateways Configured with Peering Connections

A vulnerability was identified in Consul and Consul Enterprise “Consul” an authenticated user with service:write permissions could trigger a workflow that causes Consul server and client agents to crash under certain circumstances. To exploit this vulnerability, an attacker requires access to an...

Consul Server Panic when Ingress and API Gateways Configured with Peering Connections

A vulnerability was identified in Consul and Consul Enterprise “Consul” an authenticated user with service:write permissions could trigger a workflow that causes Consul server and client agents to crash under certain circumstances. To exploit this vulnerability, an attacker requires access to an...

Apache ShenYu Authorization Problem Vulnerability (CNVD-2023-23553)

Apache ShenYu is an asynchronous , high-performance , cross-language , responsive API gateway of the United States Apache Apache Foundation . An authorization issue vulnerability exists in Apache ShenYu versions prior to 2.5.1, which stems from improper privilege management and can be exploited b...

SQL Injection

cubejs-backend/api-gateway is vulnerable to SQL Injection attacks. A specifically crafted attack statement through the /v1/sql-runner endpoint allows a malicious authenticated user to inject and execute arbitrary SQL queries on the target system...

GHSA-6JQM-3C9G-PCH7 @cubejs-backend/api-gateway row level security bypass

Impact All authenticated Cube clients could bypass row-level security and run arbitrary SQL via the newly introduced /v1/sql-runner endpoint. Patches The change has been reverted in 0.31.24 Workarounds Upgrade to =0.31.24 or downgrade to =0.31.22 Post mortem As part of implementing the Cube Cloud...

Exploit for Authentication Bypass by Spoofing in Apache Apisix

POCs Collected POCs CVE-2022-24112 To create a test...

Security Bulletin: IBM DataPower Gateway potentially vulnerable to HTTP request smuggling

Summary These flaws have the potential to affect the API Gateway Sservice. IBM has addressed the CVEs Vulnerability Details CVEID: CVE-2022-32213 DESCRIPTION: Node.js is vulnerable to HTTP request smuggling, caused by the failure to correctly parse and validate Transfer-Encoding headers by the...

Evolution of API Security – A Practical Guide to Addressing API Threats in 2023

The kind of API security scenarios we witnessed today were never like this from the beginning of time. It has gone to extra lengths to become responsive and productive as it’s now. How was it in the beginning? What changes has it faced? What more can we expect in the future? If this is what bothe...

Wallarm extends AWS API security with the official Terraform module

Wallarm API Security solution is now available in AWS as an official Terraform module, with a full feature set including autoscaling groups, API Gateway connector, mirroring, and agentless out-of-band deployments. To address modern cloud-native threats, API security vendor Wallarm released extend...

Malicious Package

Overview @manomano-toolbox/api-gateway is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if...

CVE-2022-31041

Open Forms is an application for creating and publishing smart forms. Open Forms supports file uploads as one of the form field types. These fields can be configured to allow only certain file extensions to be uploaded by end users e.g. only PDF / Excel / .... The input validation of uploaded fil...

Input validation

Open Forms is an application for creating and publishing smart forms. Open Forms supports file uploads as one of the form field types. These fields can be configured to allow only certain file extensions to be uploaded by end users e.g. only PDF / Excel / .... The input validation of uploaded fil...

CVE-2022-31041 Insufficient content-type validation for uploaded files in open-forms

Open Forms is an application for creating and publishing smart forms. Open Forms supports file uploads as one of the form field types. These fields can be configured to allow only certain file extensions to be uploaded by end users e.g. only PDF / Excel / .... The input validation of uploaded fil...

CVE-2022-31041 Insufficient content-type validation for uploaded files in open-forms

Open Forms is an application for creating and publishing smart forms. Open Forms supports file uploads as one of the form field types. These fields can be configured to allow only certain file extensions to be uploaded by end users e.g. only PDF / Excel / .... The input validation of uploaded fil...

Malicious code in @manomano-toolbox/api-gateway (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware db95524e5bf90907d13f9109419d2a10727fd9549c599cad79231ab6359745f1 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2022-411 Malicious code in @manomano-toolbox/api-gateway (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware db95524e5bf90907d13f9109419d2a10727fd9549c599cad79231ab6359745f1 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Exploit for Code Injection in Vmware Spring_Cloud_Gateway

Spring-Cloud-Gateway-CVE-2022-22947 Security Notice regardi...