Connect with us
X
Categories:

Technology

Broken access controls, injection attacks plague the enterprise security landscape in 2022 – API security

Published

on

Broken access controls, injection attacks plague the enterprise security landscape in 2022 – API security
Share this post:

DOWNLOAD MP3 SONG

Spring4Shell and Veeam RCE exploit topped the list in Q1 2022

API-related security vulnerabilities continue to be a thorn in the side of organizations, with access control flaws now associated with high-severity CVEs.

According to a new whitepaper published by API security firm Wallarm, titled ‘API vulnerabilities discovered and exploited in Q1-2022’, a total of 48 API-related vulnerabilities were found and reported in the first quarter.

Based on industry standards, 18 were considered high-risk and 19 were labeled as of medium severity, the report (PDF) says.

The critical vulnerabilities disclosed publicly earned themselves CVSS v3 scores ranging from 8.1 and 10.

Top API threats

Merging both OWASP Top 10 and OWASP API Security Top 10 standards, the cybersecurity firm categorized the most significant API threat disclosures as issues relating to broken access controls (or broken function level authorization, depending on the OWASP standard), as well as injection attacks.

While security flaws including cryptographic failures, insecure design, excessive data exposure, and misconfigurations also made the list, the most dangerous, exploited API vulnerabilities disclosed in Q1 2022 relate to injection attacks, incorrect authorization or a complete bypass, and incorrect permission assignment.

Topping the list of the four most dangerous API vulnerabilities disclosed and reported in the first quarter of 2022 is CVE-2022-22947, also known as ‘Spring4Shell.’

Spring4Shell is linked to two vulnerabilities – CVE-2022-22963, a SpEL expression injection bug in Spring Cloud Function, and CVE-2022-22947, a code injection attack leading to remote code execution (RCE) in Spring Framework’s Java-based Core module.

A developer publicly released exploit code for the critical bug in March, and although promptly deleted, the release of working RCE code ensured Spring4Shell became a headache for developers who needed to apply Spring’s emergency patch quickly.

The vulnerability was compared to Log4j due to the Spring Framework’s popularity. Before long, Microsoft and CISA warned of active exploitation of the zero-day flaw. Attackers then harnessed the bug to grow the Mirai botnet.

Enterprise technologies targeted

The second vulnerability at the top of the API vulnerability list is CVE-2022-26501 (CVSS 9.8), an improper authentication bug in Veeam Backup and Replication that allows attackers to execute arbitrary code remotely without authentication. Veeam supports over 400,000 customers, many of which are enterprise firms.

RECOMMENDED  WordPress Core feature's six-year-old blind SSRF vulnerability may allow DDoS assaults

According to Nikita Petrov, the Positive Technologies researcher who disclosed the critical bug alongside two others, CVE-2022-26501 had the potential to “be exploited in real attacks and put many organizations at significant risk”.

The third flaw, another assigned a CVSS score of 9.8, impacts Zabbix, an enterprise-grade open source network tool. Tracked as CVE-2022-23131, when a non-default setting to enable SAML SSO authentication was in use, the tool’s front end was susceptible to privilege escalation and admin session hijacking – as long as an attacker knew the admin’s username.

Fourth is CVE-2022-24327, a lower-grade bug assigned a CVSS score of 7.8 but still considered a severe vulnerability. Found in the JetBrains suite hub, the bug related to developer accounts integrated into the hub which inadvertently exposed API keys with excessive permissions, potentially leading to account takeover or hijacking.

Finally, Wallarm has bundled a category of API security threats as a common denominator in many cyber-attacks today. Described by Mitre as “CWE-639: Authorization Bypass Through User-Controlled Key”, the issues surround system authorization functionality which allows key values to be tampered and users to access other users’ data or records without permission.

APIs, as key communication methods between functions, will remain a target for cyber-attackers as long as they are in use due to their critical roles in modern networks and services.

In recent API security news, open source hacking tool GoTestWAF has introduced API security platform evaluation capabilities, emulating OWASP and API exploits to test API security defenses.


Get More Stories Like This On: Facebook: @AllNaijaEntertainment, Twitter: @AllNaijaEntertainment
Chief Oyerigha Echo Toikumoh - The Earlier The Better
Music1 week ago

[Music] Chief Oyerigha Echo Toikumoh – The Earlier The Better

Enzo Maresca and Mikel Arteta stated they will not take Pep Guardiola's place at Manchester City
Sports1 week ago

Enzo Maresca and Mikel Arteta stated they will not take Pep Guardiola’s place at Manchester City

Alan Shearer reckons Liverpool star is ‘not going to get better’
Sports1 week ago

Alan Shearer reckons Liverpool star is ‘not going to get better’

NECO examiners threaten nationwide protest over unpaid entitlements
News1 week ago

NECO examiners threaten nationwide protest over unpaid entitlements

Jonathan congratulates Trump on historic election win
News1 week ago

Jonathan congratulates Trump on historic election win

Peter Obi can become president in 2027 — Yunusa Tanko
News1 week ago

Peter Obi can become president in 2027 — Yunusa Tanko

Dua Lipa forced to cancel show after ‘unforeseen safety issues’
Entertainment1 week ago

Dua Lipa forced to cancel show after ‘unforeseen safety issues’

Uzoamaka Onuoha wins Best Female Performance in a feature at AFRIFF 2024
Entertainment1 week ago

Uzoamaka Onuoha wins Best Female Performance in a feature at AFRIFF 2024

'Phoenix Fury' bags Best Film award at the 13th edition of AFRIFF
Entertainment1 week ago

‘Phoenix Fury’ bags Best Film award at the 13th edition of AFRIFF

Vivo begins teasing new Dimensity 9400 flagships internationally
Technology1 week ago

Vivo begins teasing new Dimensity 9400 flagships internationally

Google Pixel 11 and Pixel 11 Pro may trade performance gains for longer battery life
Technology1 week ago

Google Pixel 11 and Pixel 11 Pro may trade performance gains for longer battery life

Manchester United players warned ‘only one is safe’ under Ruben Amorim
Sports1 week ago

Manchester United players warned ‘only one is safe’ under Ruben Amorim

Austin DeAnda given impromptu makeover after he is forced to have haircut in the middle of fight
Sports1 week ago

Austin DeAnda given impromptu makeover after he is forced to have haircut in the middle of fight

IG orders punishment for errant cops
News2 weeks ago

IG orders punishment for errant cops

Be ready to recover stolen mandate — Ighodalo tells PDP
News2 weeks ago

Be ready to recover stolen mandate — Ighodalo tells PDP

No part of Ogun will be ceded under my watch — Dapo Abiodun
News2 weeks ago

No part of Ogun will be ceded under my watch — Dapo Abiodun

Ruger calls out auto tune and hype culture in music
Entertainment2 weeks ago

Ruger calls out auto tune and hype culture in music

I hate to play same role repeatedly — Actress Bimbo Akintola
Entertainment2 weeks ago

I hate to play same role repeatedly — Actress Bimbo Akintola

Fans split on Davido, Wizkid, and Burna Boy's Grammy nominations.
Entertainment2 weeks ago

Fans split on Davido, Wizkid, and Burna Boy’s Grammy nominations

Samsung Galaxy S25 Slim: Leaker reveals launch details for Samsung's rival iPhone 17 Air
Technology2 weeks ago

Samsung Galaxy S25 Slim: Leaker reveals launch details for Samsung’s rival iPhone 17 Air

Realme names first smartphone to get Android 15 beta worldwide
Technology2 weeks ago

Realme names first smartphone to get Android 15 beta worldwide

England interim manager tipped for surprise Premier League job
Sports2 weeks ago

England interim manager tipped for surprise Premier League job

Hakim Ziyech mocks Israeli supporters attacked in Amsterdam
Sports2 weeks ago

Hakim Ziyech mocks Israeli supporters attacked in Amsterdam

Court jails seven for internet fraud in Kaduna
News2 weeks ago

Court jails seven for internet fraud in Kaduna

Edo APC criticizes Obaseki’s last-minute appointments
News2 weeks ago

Edo APC criticizes Obaseki’s last-minute appointments

Edo PDP announces caretaker committee
News2 weeks ago

Edo PDP announces caretaker committee

Tems makes history after securing 3 nominations for the 67th Grammys
Entertainment2 weeks ago

Tems makes history after securing 3 nominations for the 67th Grammys

Beyoncé surpasses Jay-Z to become the most nominated artist in Grammy history
Entertainment2 weeks ago

Beyoncé surpasses Jay-Z to become the most nominated artist in Grammy history

Davido, Wizkid, Tems, Asake make 2025 Grammy nominations
Entertainment2 weeks ago

Davido, Wizkid, Tems, Asake make 2025 Grammy nominations

Davido, Wizkid, Tems, Asake make 2025 Grammy nominations
Entertainment2 weeks ago

2025 GRAMMY: Academy unveils category changes ahead of nomination event

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories2 weeks ago

[STORY] THE PASTOR’S DAUGHTER (Final Episode 13)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories2 weeks ago

[STORY] THE PASTOR’S DAUGHTER (Episode 12)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories2 weeks ago

[STORY] THE PASTOR’S DAUGHTER (Episode 11)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories2 weeks ago

[STORY] THE PASTOR’S DAUGHTER (Episode 10)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories2 weeks ago

[STORY] THE PASTOR’S DAUGHTER (Episode 09)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories2 weeks ago

[STORY] THE PASTOR’S DAUGHTER (Episode 08)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories2 weeks ago

[STORY] THE PASTOR’S DAUGHTER (Episode 07)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories2 weeks ago

[STORY] THE PASTOR’S DAUGHTER (Episode 06)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories2 weeks ago

[STORY] THE PASTOR’S DAUGHTER (Episode 05)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories2 weeks ago

[STORY] THE PASTOR’S DAUGHTER (Episode 04)

ANE Billboard Hots



Join "ANE sabi" clique

Don't miss a thing, get ogbonge ANE latest updates to fuel your conversation daily.