A team of researchers from cloud security provider Ermetic discovered three vulnerabilities in Microsoft’s Azure API Management service.
A team of researchers from cloud security provider Ermetic discovered three vulnerabilities in Microsoft’s Azure API Management service.
The “high-risk” flaws included Server-Side Request Forgery (SSRF) vulnerabilities and a file upload path traversal on an internal Azure workload.
- The Azure API Management service is a fully managed platform that organizations can use to create, manage, secure, and analyze their APIs across all environments.
- SSRF attacks occur when an attacker abuses the functionality of a server to make requests to an unintended location, enabling access to sensitive data stored in the targeted server.
- An Ermetic blog post details how attackers could have abused the SSRF vulnerabilities to send requests from the service’s CORS Proxy and the hosting proxy itself, access internal Azure assets, deny service, and bypass web application firewalls.
- Ermetic first discovered the vulnerabilities on Dec. 21, 2022, and Microsoft has now fully patched them. No further action is needed on behalf of Microsoft customers.
أضف تعليقاً: