APIsecure - April 6 & 7, 2022
APIsecure is the world’s first conference dedicated to API threat management; bringing together breakers, defenders, and solutions in API security.
Quarterly Review of API Vulnerabilities
Ivan Novikov, CEO at Wallarm
2. 2
Introduction
About this work
● All newly disclosed API
vulnerabilities in Q1’22 (where
descriptions are sufficient to
classify)
● All API exploits for API
vulnerabilities discovered
● Automated search queries
● A lot of manual work for
classification
About the author
● Security researcher and speaker
● Bug hunter
● CEO of Wallarm, API security
company
9. 9
No, it’s not a Spring4shell, but completely
different issue
/actuator/gateway/routes/ API endpoint is
vulnerable to Remote Code Execution via
SSTI (JSON payload, filter argument)
#{new
String(T(org.springframework.util.
StreamUtils).copyToByteArray(T(jav
a.lang.Runtime).getRuntime().exec(
...
10. 10
A vulnerability (CVE-2022-26501) exists in
the Veeam Distribution Service. This
component allows executing malicious
code remotely without authentication. This
may lead to gaining control over the target
system.
The Veeam Distribution Service, using TCP
9380 with default settings, allows
unauthenticated users to access internal
API functions. A remote attacker may send
input to the internal API which may lead to
uploading and executing of malicious code.
11. 11
In JetBrains Hub before 2021.1.13890,
integration with JetBrains Account
exposed an API key with excessive
permissions.
We don’t know much about this issue.
12. 12
Summary
1. New API vulnerabilities happen often – one every other day in Q1-2022
2. 39% of Q1 API issues are high risk and 28.5% are 9.1+ CVSSv3 score
3. Injections and Broken Access Control issues are the most common at 67.3%
4. Enterprise software, SaaS, OSS, cloud-native software, dev. frameworks – all
vulnerable
5. We will continue this work and publish the Q1 report on our website soon. Please
email me at request@wallarm.com if you need your copy sooner