Description

The Kong Gateway provides API for accessing various information and configuring it. Invicti determined that it was possible to access this API without authentication.

Remediation

Restrict access to the Kong Gateway API interface

References

OWASP Authentication Cheat Sheet

Securing the Admin API

Related Vulnerabilities

WordPress Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2016-5835)

MediaWiki Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2013-4569)

Moodle Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2011-4304)

Missing Content-Type Header

Ruby Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2020-10933)

Severity

High

Classification

CWE-200 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N

Tags

Configuration