Description

The Kong Gateway provides API for accessing various information and configuring it. Acunetix determined that it was possible to access this API without authentication.

Remediation

Restrict access to the Kong Gateway API interface

References

OWASP Authentication Cheat Sheet

Securing the Admin API

Related Vulnerabilities

Clickjacking: CSP frame-ancestors missing

WordPress Plugin WordPress Backup to Dropbox Information Disclosure (4.7.1)

WordPress Plugin WP-Live Chat by 3CX Information Disclosure (8.0.28)

WordPress Plugin Jigoshop Information Disclosure (1.17.9)

Devise weak password

Severity

High

Classification

CWE-200 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N

Tags

Configuration