Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Previously, an application built with API Builder could allow a remote attacker to bypass authentication to an API endpoint. The issue was discovered by Axway and we have no indications that the vulnerability has been exploited or publicly disclosed. Now, the authentication bypass vulnerability has been resolved in API Builder 3.x.
    • Summary: An application built with API Builder could allow a remote attacker to bypass authentication to an API endpoint. The issue was discovered by Axway and we have no indications that the vulnerability has been exploited or publicly disclosed.
    • Vulnerability details: An application built with API Builder could allow a remote attacker to bypass authentication to an API endpoint and obtain sensitive information, affect the integrity and availability when using the following authentication mechanisms:
      • HTTP Basic Authentication
      • API Key based Authentication
      • LDAP Authentication
    • CVSS base score: 10
    • CVSS vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N)
    • Applying remediation/fixes: If your published applications are using any of the following authentication mechanisms, it is recommended that you download the patch versions and republish your applications:
      • HTTP Basic Authentication
      • API Key based Authentication
      • LDAP Authentication
      For API Builder Applications developed and published with API Builder 3.x, download CLI Version 7.0.7 or above and republish the application with the following steps:
      1. appc use latest
      2. cd <your project folder>
      3. appc publish -f
      If you have manually added the Arrow dependency to your API Builder application where the Arrow or API Builder version is a custom build, then ensure that this dependency is updated to the latest version (Arrow/API Builder 3.2.5 or above).
    • Further information: For additional information, refer to https://support.axway.com/news/1180. For additional questions, contact support@axway.com.

...