Source: dzone.com
API Security Weekly: Issue #123Category: Business, Database, Data
This week, we learn about the recent serious API vulnerability in VMware vCenter (if you have one, update ASAP!), why query and path parameters cannot be trusted for confidential data, how potential attacks can emerge from inconsistencies in JSON parser behavior, and how a VS Code extension can help fix API vulnerabilities.
Mikhail Klyuchnikov from PT SWARM found a critical remote code execution (RCE) vulnerability in VMware vCenter (CVE-2021-21972).
Lessons learned with this one: URLs of API calls (and thus path and query parameters in them) should not be used to pass any confidential data.
This in turn can lead to discrepancies in input and output values from different parts of the architecture, with unforeseen consequences.
Mikhail Klyuchnikov from PT SWARM found a critical remote code execution (RCE) vulnerability in VMware vCenter (CVE-2021-21972).
Lessons learned with this one: URLs of API calls (and thus path and query parameters in them) should not be used to pass any confidential data.
This in turn can lead to discrepancies in input and output values from different parts of the architecture, with unforeseen consequences.
Related Articles
Community Partners
DevOps Careers