GHSA-54r5-wr8x-x5v3: Duplicate Advisory: Apiman has insufficient checks for read permissions

December 20, 2022 (updated October 7, 2024)

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-j94p-hv25-rm5g. This link is maintained to preserve external references.

Original Description

Apiman 1.5.7 through 2.2.3.Final has insufficient checks for read permissions within the Apiman Manager REST API. A malicious user may be able to find and subscribe to private APIs they do not have permission for, thus accessing API Management-protected resources they should not be allowed to access. The root cause of the issue is the Apiman project’s accidental acceptance of a large contribution that was not fully compatible with the security model of Apiman versions before 3.0.0.Final. Because of this, 3.0.0.Final is not affected by the vulnerability.

References

Code Behaviors & Features

Detect and mitigate GHSA-54r5-wr8x-x5v3 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →