Description

This web application is configured with the serviceMetadata property httpGetEnabled / httpsGetEnabled set to true. When configured this way, the WCF service metadata (e.g. WSDL) will be publicly accessible.

Remediation

It's recommended to disable service metadata publishing by setting the serviceMetadata property httpGetEnabled / httpsGetEnabled to false. 

<serviceMetadata httpGetEnabled="false" httpsGetEnabled="false" />

References

ServiceMetadataBehavior

Related Vulnerabilities

Apache Tapestry weak secret key

Tornado debug mode

Apache perl-status enabled

Yii2 Gii extension

Jetpack 2.9.3: Critical Security Update

Severity

Medium

Classification

CWE-16 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Configuration