search

Azure / api-management-developer-portal

Developer portal provided by the Azure API Management service.
MIT License
479 stars 307 forks source link

Version Disclosure (Lodash) #2265

Closed Harmanpreet-96 closed 3 months ago

Harmanpreet-96 commented 11 months ago

Bug description

Security scan identified a version disclosure (Lodash) in the target web server's HTTP response. This information can help an attacker gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of Lodash.

Impact An attacker might use the disclosed information to harvest specific security vulnerabilities for the version identified.

Reproduction steps

  1. Go to '...'
  2. Click on '....'
  3. Scroll down to '....'
  4. See error

Expected behavior

Configure your web server to prevent information leakage.

Is your portal managed or self-hosted?

Managed

Release tag or commit SHA (if using self-hosted version)

[e.g., release 2.0.0, commit c45da9778b70d369aba60fa2e63c191efe2b548f]

API Management service name

enterprise-apim-dev

Environment

Additional context

Add any other context about the problem here, including screenshots.

ghost commented 11 months ago

@Harmanpreet-96, thank you for opening this issue. We will triage it within the next few business days.

JMach1 commented 11 months ago

Hello @Harmanpreet-96 I couldn't find where is the version exposed, could you please provide us with exact reproduction steps?

ghost commented 11 months ago

@Harmanpreet-96, we need more information before we start working on this issue. If you prefer to share it in private, please send us an email to apimportalfeedback@microsoft.com with the issue number in its subject.

Harmanpreet-96 commented 11 months ago

For Version Disclosure (Lodash), the commands below can be executed on the browser’s console. '.templateSettings.imports..templateSettings.imports._.VERSION'

brsolomon-deloitte commented 10 months ago

@Harmanpreet-96 that's not a valid snippet of code to execute so your instructions are not reproducible. Can you please specify more exactly what to execute in the developer tools console that will display the Lodash version?

@JMach1, FYI, this finding comes from an Invicti Enterprise security scan.

brsolomon-deloitte commented 10 months ago

Related: https://github.com/lodash/lodash/issues/5704

Harmanpreet-96 commented 10 months ago

I am not able to add an underscore in front of this command.

.templateSettings.imports..templateSettings.imports._.VERSION

brsolomon-deloitte commented 10 months ago

.templateSettings.imports..templateSettings.imports..VERSION

@Harmanpreet-96 Again: that is not a valid variable name. What specifically are you suggesting?

image

Harmanpreet-96 commented 10 months ago

image

Harmanpreet-96 commented 5 months ago

Any updates?

eduardhyan commented 5 months ago

Resolved console disclosure of the "underscore" variable by updating lodash imports. Replaced:

import { isEqual } from "lodash";

with:

import isEqual from "lodash/isEqual";

The issue was resolved for me

mrcarlosdev commented 3 months ago

This issue is related to managed developer portal. We advise you to create a Azure support request to get assistance on this issue. Please refer to the below link to create a new Azure support request, Please select Problem Type = "Developer Portal" in the request to route it appropriately.

https://learn.microsoft.com/en-us/azure/azure-portal/supportability/how-to-create-azure-support-request