Description

Kong Gateway is an open-source, lightweight API gateway. Kong comes with an internal RESTful Admin API for administration purposes. Requests to the Admin API can be sent to any node in the cluster, and Kong will keep the configuration consistent across all nodes.

It was discovered that it's possible to access the Kong Gateway Admin API without authentication. It's recommended to restrict access to the Kong Admin API. It is best practice to expose the Kong Gateway Admin API to localhost only.

Remediation

It's recommended to restrict access to the Kong Admin API.

References

Related Vulnerabilities