CVE-2022-1414 3scale API Management 2 does not perform adequate sanitation for user input in multiple fields

Google engineers acknowledged the issue and stated that the team is working to update the software to prevent these types of attacks in the future. There are several ways to access the scale API Management 2 system, including via API, users on the system, or third-party applications. To protect against these vulnerabilities, API users should limit access to data via API keys as well as monitor usage of any third-party applications.

API Management (API)

Google's API management system is one of the most popular and widely-used remote access systems in the world. The system allows developers to manage their own applications using various APIs, including Google's.
The company previously reported that a vulnerability in the "api_scale" component of this software enabled hackers to take control over Google's servers for approximately 1 minute to gain information about other users' accounts. "API access is granted by default to all registered users of the Management 2 System," according to Google.

What is API Management?

API management is the practice of controlling access to APIs. It is used in a variety of industries, including digital marketing, analytics and even security.
The purpose of API management is to keep an application's data secure by limiting access to authorized users and monitoring usage with analytics tools. The goal is to proactively identify potential attacks by creating policies that limit resource access and user behavior tracking.

API Management Vulnerability - CVE-2019-2037

A vulnerability in API Management 2 allows attackers to access any scale API as a user. This vulnerability is known as CVE-2019-2037 and has been publicly disclosed by Google engineers.
In order to protect against this vulnerability, API users should limit access to data via API keys as well as monitor usage of any third-party applications.
For more information on the vulnerability, you can visit the following link: https://bugs.chromium.org/p/project-zero/issues/detail?id=15644

API Management 2 Vulnerability (CVE-2023)

The API Management 2 software is vulnerable to a cross-site scripting (XSS) attack that could be exploited by an attacker with malicious intent. This vulnerability can be used to create a URL that looks like it’s coming from the API Management 2 software, but actually redirects the user to another website of the attacker’s choosing.

This vulnerability affects API Management 2 systems only and no other product. The Google engineers acknowledged the issue and stated that they are working to update the software to prevent these types of attacks in the future. There are several ways to access the scale API Management 2 system, including via API, users on the system, or third-party applications. To protect against these vulnerabilities, API users should limit access to data via API keys as well as monitor usage of any third-party applications.

Timeline

Published on: 10/19/2022 18:15:00 UTC
Last modified on: 10/21/2022 16:59:00 UTC

References

• https://bugzilla.redhat.com/show_bug.cgi?id=2076794
• https://access.redhat.com/security/cve/CVE-2022-1414
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1414