SB2023060702 - Multiple vulnerabilities in Axway API Gateway and API Manager 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2023060702

SB2023060702 - Multiple vulnerabilities in Axway API Gateway and API Manager

Published: June 7, 2023 Updated: October 12, 2023

Security Bulletin ID SB2023060702
Severity
High
Patch available
YES
Number of vulnerabilities 11
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 27% Medium 45% Low 27%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 11 secuirty vulnerabilities.


1) Incorrect default permissions (CVE-ID: N/A)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to incorrect default permissions for the apigw-backup-tool.ini file that stores passwords in clear text. A local user with access to the system can view contents of the file and obtain access credentials.


2) Input validation error (CVE-ID: N/A)

The vulnerability allows a remote user to perform spoofing attack.

The vulnerability exists due to insufficient validation of user-supplied input when processing application name. A remote user inject a clickable link into the application name in the monitoring view and tr4ick the victim into visiting a malicious website.


3) Deserialization of Untrusted Data (CVE-ID: CVE-2022-1471)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data within the SnakeYaml's Constructor() class. A remote attacker can pass specially crafted yaml content to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


4) Code Injection (CVE-ID: CVE-2021-23450)

The disclosed vulnerability allows a remote attacker to execute arbitrary code on the system.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can inject and execute arbitrary script code via the setObject function.


5) Uncontrolled Recursion (CVE-ID: CVE-2023-1436)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to uncontrolled recursion when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.


6) Uncontrolled Recursion (CVE-ID: CVE-2023-1370)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to uncontrolled recursion when processing nested arrays and objects. A remote attacker can pass specially crafted JSON data to the application and perform a denial of service (DoS) attack.


7) Improper Control of Dynamically-Managed Code Resources (CVE-ID: CVE-2023-29199)

The vulnerability allows a remote user to gain access to sensitive information.

The vulnerability exists due to an error within the source code transformer. A remote user can bypass handleException() and leak unsanitized host exceptions. The obtain information can be used to escape the sandbox and run arbitrary code in host context.


8) Improper Control of Dynamically-Managed Code Resources (CVE-ID: CVE-2023-29017)

The vulnerability allows a remote attacker to escape sandbox restrictions.

The vulnerability exists due to improper handling of host objects passed to "Error.prepareStackTrace" in case of unhandled async errors. A remote attacker can pass specially crafted input to the application, escape sandbox restrictions and execute arbitrary code on the host.


9) Inefficient Algorithmic Complexity (CVE-ID: CVE-2022-25881)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to regular expression denial of service that occurs when the server reads the cache policy from the request using this library. A remote unauthenticated attacker can send malicious request header values to the server and perform a denial of service attack.


10) Resource exhaustion (CVE-ID: CVE-2023-0464)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when verifying X.509 certificate chains that include policy constraints. A remote attacker can create a specially crafted certificate to trigger resource exhaustion and perform a denial of service (DoS) attack.


11) Information disclosure (CVE-ID: N/A)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the REST API "/config" endpoint. A remote attacker can obtain OS and architecture type.


Remediation

Install update from vendor's website.

References