Closed Harmanpreet-96 closed 3 months ago
@Harmanpreet-96, thank you for opening this issue. We will triage it within the next few business days.
Hello @Harmanpreet-96 I couldn't find where is the version exposed, could you please provide us with exact reproduction steps?
@Harmanpreet-96, we need more information before we start working on this issue. If you prefer to share it in private, please send us an email to apimportalfeedback@microsoft.com with the issue number in its subject.
For Version Disclosure (Lodash), the commands below can be executed on the browser’s console. '.templateSettings.imports..templateSettings.imports._.VERSION'
@Harmanpreet-96 that's not a valid snippet of code to execute so your instructions are not reproducible. Can you please specify more exactly what to execute in the developer tools console that will display the Lodash version?
@JMach1, FYI, this finding comes from an Invicti Enterprise security scan.
I am not able to add an underscore in front of this command.
.templateSettings.imports..templateSettings.imports._.VERSION
.templateSettings.imports..templateSettings.imports..VERSION
@Harmanpreet-96 Again: that is not a valid variable name. What specifically are you suggesting?
Any updates?
Resolved console disclosure of the "underscore" variable by updating lodash imports. Replaced:
import { isEqual } from "lodash";
with:
import isEqual from "lodash/isEqual";
The issue was resolved for me
This issue is related to managed developer portal. We advise you to create a Azure support request to get assistance on this issue. Please refer to the below link to create a new Azure support request, Please select Problem Type = "Developer Portal" in the request to route it appropriately.
Bug description
Security scan identified a version disclosure (Lodash) in the target web server's HTTP response. This information can help an attacker gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of Lodash.
Impact An attacker might use the disclosed information to harvest specific security vulnerabilities for the version identified.
Reproduction steps
Expected behavior
Configure your web server to prevent information leakage.
Is your portal managed or self-hosted?
Managed
Release tag or commit SHA (if using self-hosted version)
[e.g., release
2.0.0
, commitc45da9778b70d369aba60fa2e63c191efe2b548f
]API Management service name
enterprise-apim-dev
Environment
Additional context
Add any other context about the problem here, including screenshots.