Connect with us
X
Categories:

Technology

Broken access controls, injection attacks plague the enterprise security landscape in 2022 – API security

Published

on

Broken access controls, injection attacks plague the enterprise security landscape in 2022 – API security
Share this post:

Spring4Shell and Veeam RCE exploit topped the list in Q1 2022

API-related security vulnerabilities continue to be a thorn in the side of organizations, with access control flaws now associated with high-severity CVEs.

According to a new whitepaper published by API security firm Wallarm, titled ‘API vulnerabilities discovered and exploited in Q1-2022’, a total of 48 API-related vulnerabilities were found and reported in the first quarter.

Based on industry standards, 18 were considered high-risk and 19 were labeled as of medium severity, the report (PDF) says.

The critical vulnerabilities disclosed publicly earned themselves CVSS v3 scores ranging from 8.1 and 10.

Top API threats

Merging both OWASP Top 10 and OWASP API Security Top 10 standards, the cybersecurity firm categorized the most significant API threat disclosures as issues relating to broken access controls (or broken function level authorization, depending on the OWASP standard), as well as injection attacks.

While security flaws including cryptographic failures, insecure design, excessive data exposure, and misconfigurations also made the list, the most dangerous, exploited API vulnerabilities disclosed in Q1 2022 relate to injection attacks, incorrect authorization or a complete bypass, and incorrect permission assignment.

Topping the list of the four most dangerous API vulnerabilities disclosed and reported in the first quarter of 2022 is CVE-2022-22947, also known as ‘Spring4Shell.’

Spring4Shell is linked to two vulnerabilities – CVE-2022-22963, a SpEL expression injection bug in Spring Cloud Function, and CVE-2022-22947, a code injection attack leading to remote code execution (RCE) in Spring Framework’s Java-based Core module.

A developer publicly released exploit code for the critical bug in March, and although promptly deleted, the release of working RCE code ensured Spring4Shell became a headache for developers who needed to apply Spring’s emergency patch quickly.

The vulnerability was compared to Log4j due to the Spring Framework’s popularity. Before long, Microsoft and CISA warned of active exploitation of the zero-day flaw. Attackers then harnessed the bug to grow the Mirai botnet.

Enterprise technologies targeted

The second vulnerability at the top of the API vulnerability list is CVE-2022-26501 (CVSS 9.8), an improper authentication bug in Veeam Backup and Replication that allows attackers to execute arbitrary code remotely without authentication. Veeam supports over 400,000 customers, many of which are enterprise firms.

According to Nikita Petrov, the Positive Technologies researcher who disclosed the critical bug alongside two others, CVE-2022-26501 had the potential to “be exploited in real attacks and put many organizations at significant risk”.

RECOMMENDED  Police arrest 113 foreign nationals over 'High-level' cybercrime

The third flaw, another assigned a CVSS score of 9.8, impacts Zabbix, an enterprise-grade open source network tool. Tracked as CVE-2022-23131, when a non-default setting to enable SAML SSO authentication was in use, the tool’s front end was susceptible to privilege escalation and admin session hijacking – as long as an attacker knew the admin’s username.

Fourth is CVE-2022-24327, a lower-grade bug assigned a CVSS score of 7.8 but still considered a severe vulnerability. Found in the JetBrains suite hub, the bug related to developer accounts integrated into the hub which inadvertently exposed API keys with excessive permissions, potentially leading to account takeover or hijacking.

Finally, Wallarm has bundled a category of API security threats as a common denominator in many cyber-attacks today. Described by Mitre as “CWE-639: Authorization Bypass Through User-Controlled Key”, the issues surround system authorization functionality which allows key values to be tampered and users to access other users’ data or records without permission.

APIs, as key communication methods between functions, will remain a target for cyber-attackers as long as they are in use due to their critical roles in modern networks and services.

In recent API security news, open source hacking tool GoTestWAF has introduced API security platform evaluation capabilities, emulating OWASP and API exploits to test API security defenses.


Get More Stories Like This On: Facebook: @AllNaijaEntertainment, Twitter: @AllNaijaEntertainment
iQoo 12: Global version of ex-flagship smartphone upgrades to Android 15
Technology4 hours ago

iQoo 12: Global version of ex-flagship smartphone upgrades to Android 15

RedMagic 10 Pro and RedMagic 10 Pro Plus to follow RedMagic Nova global release with huge ultra-bright displays
Technology4 hours ago

RedMagic 10 Pro and RedMagic 10 Pro Plus to follow RedMagic Nova global release with huge ultra-bright displays

OnePlus 13 posts impressive sales numbers before anticipated global release
Technology5 hours ago

OnePlus 13 posts impressive sales numbers before anticipated global release

Ruud van Nistelrooy updates Leny Yoro injury after Manchester United defender is pictured in training
Sports9 hours ago

Ruud van Nistelrooy updates Leny Yoro injury after Manchester United defender is pictured in training

Cole Palmer injury update leaves him in doubt for Chelsea against Arsenal
Sports9 hours ago

Cole Palmer injury update leaves him in doubt for Chelsea against Arsenal

Police kill two suspected kidnappers in Delta State
News9 hours ago

Police kill two suspected kidnappers in Delta State

Atiku congratulates Trump on US election victory
News9 hours ago

Atiku congratulates Trump on US election victory

Chief of Army Staff, Lagbaja passed away at age 56
News10 hours ago

Chief of Army Staff, Lagbaja passed away at age 56

Vector reveals one thing he doesn't understand about Africans
Entertainment10 hours ago

Vector reveals one thing he doesn’t understand about Africans

People always tell me to smile more — CKay
Entertainment10 hours ago

People always tell me to smile more — CKay

Hermes Iyele announces the death of his mother
Entertainment10 hours ago

Hermes Iyele announces the death of his mother

General23 hours ago

Skylar Grey – Everything I Need [LYRICS]

General23 hours ago

[Music] Diddy – Dirty Money – “Coming Home” Feat. Skylar Grey

General23 hours ago

Diddy – Dirty Money – “Coming Home” Feat. Skylar Grey [LYRICS]

General23 hours ago

[Music] African China – Amen

General23 hours ago

[Music] African China – Baba God

General23 hours ago

African China – Baba God [LYRICS]

General24 hours ago

Machine Gun Kelly (MGK) “Home” Feat X Ambassadors & Bebe Rexha [LYRICS]

General24 hours ago

Passenger – Let Her Go [LYRICS]

General24 hours ago

[Music] Eminem – “No Love” Feat. Lil Wayne

General1 day ago

Eminem – “No Love” Feat. Lil Wayne [LYRICS]

Music1 day ago

[Music] Tatiana Manaois – Buzz Kill

General1 day ago

Tatiana Manaois – Buzz Kill [LYRICS]

General1 day ago

James Blunt – Goodbye My Lover [LYRICS]

General1 day ago

Major Lazer – “Particula” Feat. Nasty C , Ice Prince, Patoranking & Jidenna [LYRICS]

General1 day ago

James Blunt – You’re Beautiful [LYRICS]

General1 day ago

Justin Timberlake – Mirrors [LYRICS]

General1 day ago

[Music] Darey – “Pray For Me” feat. Soweto Gospel Choir

General1 day ago

Eminem – “Love The Way You Lie” Feat. Rihanna [LYRICS]

General1 day ago

Goldlink ft. Miguel – Got Friends [LYRICS]

General1 day ago

Sia – I’m Still Here [LYRICS]

General1 day ago

Yo Gotti ft. Nicki Minaj – Rake It Up [LYRICS]

General1 day ago

Shane McMahon – Here Comes The Money [LYRICS]

General1 day ago

Journey – Faithfully [LYRICS]

General1 day ago

[Music] Journey – Faithfully

General1 day ago

Eminem – Not Afraid [LYRICS]

General1 day ago

[Music] Journey – Don’t Stop Believin’

General1 day ago

Journey – Don’t Stop Believin’ [LYRICS]

General1 day ago

21 Savage – Bank Account [LYRICS]

General1 day ago

Demi Lovato – Sober [LYRICS]

Gnash (singer)
Music5 days ago

[Music] Gnash Ft Olivia O’Brien – I Hate you, I Love you

John Legend
Music2 days ago

[INSTRUMENTAL] John Legend – All Of Me

Alan Walker
Music6 days ago

Alan Walker – Faded [INSTRUMENTAL]

21 Savage
Music3 days ago

[Video] 21 Savage ft. Offset & Metro Boomin – Rap Saved Me

Wiz Khalifa
Music4 days ago

[Instrumental] Wiz Khalifa – See You Again ft. Charlie Puth

Salvation Ministry Choir Amen
Lyrics2 days ago

Salvation Ministry Choir – Amen [LYRICS]

General6 days ago

[Music] The Chainsmokers – ‘Don’t Let Me Down’ Feat. Daya

Powfu (singer)
Music5 days ago

[Music] Powfu – Death Bed (Coffee for Your Head) Feat. Beabadoobee

General5 days ago

[Music] Wyclef Jean – “Sweetest Girl (Dollar Bill)” Feat. Akon, Lil Wayne, Niia

General3 days ago

[Music] Zayn Malik – Entertainer

Wiz Khalifa - See You Again ft. Charlie Puth
Music5 days ago

[Music] Wiz Khalifa – See You Again ft. Charlie Puth

Music4 days ago

[Music] Exalted Tribe (HICC) – We Dey Halla

Anna Kendrick
Music5 days ago

[Music] Anna Kendrick – Cups (Pitch Perfect’s “When I’m Gone”)

General23 hours ago

[Music] Diddy – Dirty Money – “Coming Home” Feat. Skylar Grey

General2 days ago

[Music] John Legend – Love Me Now

Right Said Fred
Music5 days ago

[Music] Right Said Fred – Stand Up (For the Champions)

Salvation Ministries Mass Choir
Music2 days ago

[Music] Salvation Ministries Choir – Chioma Me Eh(Good God)

General1 day ago

[Music] Celine Dion – If That’s What It Takes

Salvation Ministries Mass Choir
Lyrics2 days ago

Salvation Ministries Choir – Chioma Me Eh(Good God) [LYRICS]

General1 day ago

[Music] P!nk – Try

General7 days ago

[Music] Shaggy – Strength Of A Woman

General2 days ago

[Music] Jaden Smith – Goku

Music4 days ago

[Music] Wiz Khalifa – See You Again (Remix) Feat Charlie Puth, Eminem, Tyga, & Chris Brown

R. Kelly
Music5 days ago

[Music] R. Kelly – World’s Greatest

General2 days ago

Magic! — Rude [LYRICS]

General1 day ago

[Music] Journey – Don’t Stop Believin’

General3 days ago

[Music] Cardi B – Bartier Cardi ft. 21 Savage

General4 days ago

[Music] Tyga ft. Offset – Taste

General1 day ago

[Music] P!nk – “Just Give Me A Reason” Feat. Nate Ruess

General3 days ago

[Music] 21 Savage ft. Offset & Metro Boomin – Rap Saved Me

General7 days ago

[Music] Post Malone – Candy Paint

General6 days ago

[Music] R Kelly – When A Woman Loves

General1 day ago

[Music] African China – Western Union

General5 days ago

[Music] Luniz – “Got 5 On It” Feat. Michael Marshall (Tethered Mix from US)

General7 days ago

[Music] Shaggy – Church Heathen

General3 days ago

[Music] Lil Dicky ft. Chris Brown – Freaky Friday

Alec Benjamin (singer)
Music5 days ago

[Music] Alec Benjamin – Let Me Down Slowly

General6 days ago

[Music] Jessie J – ‘Bang Bang’ Feat. Ariana Grande & Nicki Minaj

Loren Allred
Music5 days ago

[Music] Loren Allred – Never Enough (From The Greatest Showman)

General2 days ago

[Music] Lil Durk – India Pt. II

ANE Billboard Hots



Join "ANE sabi" clique

Don't miss a thing, get ogbonge ANE latest updates to fuel your conversation daily.