Description

The Kong Gateway provides API for accessing various information and configuring it. Acunetix determined that it was possible to access this API without authentication.

Remediation

Restrict access to the Kong Gateway API interface

References

OWASP Authentication Cheat Sheet

Securing the Admin API

Related Vulnerabilities

Unsafe value for session tracking in WEB-INF/web.xml

WordPress Plugin Ninja Forms Contact Form-The Drag and Drop Form Builder for WordPress Multiple Vulnerabilities (3.4.33)

MyBB Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2011-3759)

WordPress full path disclosure

PostgreSQL Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2017-7486)

Severity

High

Classification

CWE-200 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N

Tags

Configuration