Azure API Management Vulnerabilities Allowed Unauthorized Access


Two SSRF issues (server-side request forgery) and one file upload path traversal bug were discovered as a result of URL formatting workarounds and an unlimited file upload capability. According to Ermetic, all three have received a complete patch. A distinct SSRF vulnerability in API Management that Microsoft patched last year was the first of the SSRF issues to be discovered.

An attacker might have been able to access internal Azure assets, get past web application firewalls, create a denial-of-service (DoS) situation, and upload malicious files to internal servers if these vulnerabilities had been successfully exploited.

Read More…