Description

The Kong Gateway provides API for accessing various information and configuring it. Invicti determined that it was possible to access this API without authentication.

Remediation

Restrict access to the Kong Gateway API interface

References

OWASP Authentication Cheat Sheet

Securing the Admin API

Related Vulnerabilities

Spring Misconfiguration: HTML Escaping disabled

MediaWiki remote code execution

Error page web server version disclosure

npm log file publicly accessible (npm-debug.log)

Hadoop cluster web interface

Severity

High

Classification

CWE-200 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N

Tags

Configuration