Cloud security firm Ermetic has discovered three security flaws in Microsoft Azure API Management services that could allow malicious actors to access sensitive data or the backend services.
- Two of the security flaws are server-side request forgery (SSRF) vulnerabilities, while the third is an unrestricted file upload ability in the API Management developer portal.
- Researchers warn that exploiting the two SSRF vulnerabilities could permit access to internal Azure assets, result in denial of service and allow adversaries to bypass web application firewalls.
- The path traversal flaw discovered in the developer portal could allow third-party access to upload malicious files and potentially execute code.
- Microsoft has patched all three vulnerabilities after being alerted to their existence through responsible disclosure.
