Ermetic Researchers Discover 3 Vulnerabilities in Microsoft Azure API Management Service
New security flaws have been disclosed in Azure API Management service that could be abused to gain access to sensitive information or backend services.
In a new article from The Hacker News, Ravie Lakshmanan examines Microsoft's recent disclosure of three vulnerabilities (since patched) discovered by the Ermetic Research Team: two SSRF flaws and an instance of unrestricted file upload functionality in the API Management developer portal.
"By abusing the SSRF vulnerabilities, attackers could send requests from the service's CORS Proxy and the hosting proxy itself, access internal Azure assets, deny service and bypass web application firewalls," Ermetic researcher Liv Matan said in a report shared with The Hacker News. "With the file upload path traversal, attackers could upload malicious files to Azure's hosted internal workload."