Apiman has insufficient checks for read permissions
High severity
GitHub Reviewed
Published
Dec 20, 2022
to the GitHub Advisory Database
•
Updated Jan 29, 2023
Package
Affected versions
>= 1.5.7, <= 2.2.3.Final
Patched versions
3.0.0.Final
Description
Published by the National Vulnerability Database
Dec 20, 2022
Published to the GitHub Advisory Database
Dec 20, 2022
Reviewed
Dec 20, 2022
Last updated
Jan 29, 2023
Apiman 1.5.7 through 2.2.3.Final has insufficient checks for read permissions within the Apiman Manager REST API. A malicious user may be able to find and subscribe to private APIs they do not have permission for, thus accessing API Management-protected resources they should not be allowed to access. The root cause of the issue is the Apiman project's accidental acceptance of a large contribution that was not fully compatible with the security model of Apiman versions before 3.0.0.Final. Because of this, 3.0.0.Final is not affected by the vulnerability.
References