CVE-2022-47551

Name of the Vulnerable Software and Affected Versions Apiman versions 1.5.7 through 2.2.3.Final

Description The issue is caused by insufficient checks for read permissions within the Apiman Manager REST API, allowing a malicious user to access private APIs they do not have permission for. This is due to the Apiman project's accidental acceptance of a large contribution that was not fully compatible with the security model of Apiman versions before 3.0.0.Final. A remote authenticated attacker can access information and resources in an Apiman Organization they are not a member of and/or do not have permissions for. For example, an attacker may be able to craft an HTTP request to discover APIs that are private to organizations they are not members of. If the attacker has sufficient permissions in their own organization, they may also be able to sign up to the private APIs they have discovered, thereby gaining access to an API Management protected resource that they should not have access to.

Recommendations Upgrade to Apiman 3.0.0.Final or later to fix the issue. If using an older version of Apiman, contact the Apiman support provider for advice and long-term support. As a temporary workaround, consider restricting access to the Apiman Manager REST API to minimize the risk of exploitation. Avoid using the API to discover or sign up to private APIs until the issue is resolved.