Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Previously, an application built with API Builder could allow a remote attacker to bypass authentication to an API endpoint. The issue was discovered by Axway and we have no indications that the vulnerability has been exploited or publicly disclosed. Now, the authentication bypass vulnerability has been resolved in API Builder 2.x.
    • Summary: An application built with API Builder could allow a remote attacker to bypass authentication to an API endpoint. The issue was discovered by Axway and we have no indications that the vulnerability has been exploited or publicly disclosed.
    • Vulnerability details: An application built with API Builder could allow a remote attacker to bypass authentication to an API endpoint and obtain sensitive information, affect the integrity and availability when using the following authentication mechanisms:
      • HTTP Basic Authentication
      • API Key based Authentication
      • LDAP Authentication
    • CVSS base score: 10
    • CVSS vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N)
    • Applying remediation/fixes: If your published applications are using any of the following authentication mechanisms, it is recommended that you download the patch versions and republish your applications:
      • HTTP Basic Authentication
      • API Key based Authentication
      • LDAP Authentication
      For API Builder Applications developed and published with API Builder 2.x, download CLI Version 6.3.1 and republish the application using the following steps:
      1. appc use 6.3.1
      2. cd <your project folder>
      3. appc publish -f
    • Further information: For additional information, refer to https://support.axway.com/news/1180. For additional questions, contact support@axway.com.

...