In Q1 2022, Spring4Shell and Veeam RCE exploits were at the top of the list.
Access control weaknesses are now connected to high-severity CVEs, and API-related security concerns are still a pain for businesses.
In the first quarter of 2022, 48 API-related vulnerabilities were discovered and reported, according to a new whitepaper from API security company Wallarm titled “API vulnerabilities discovered and exploited in Q1-2022.”
The report (PDF) States that 18 were deemed high-risk according to industry standards, and 19 were classified as medium severity.
The major flaws that were made public had CVSS v3 scores that ranged between 8.1 and 10.
Top API threats
The cybersecurity company combined the OWASP Top 10 and OWASP API Security Top 10 standards and identified issues with failed access restrictions (or broken function level authorization, depending on the OWASP standard) as well as injection assaults as the most important API threat disclosures.
The most harmful, exploited API vulnerabilities disclosed in Q1 2022 related to injection attacks, incorrect authorization or a complete bypass, and incorrect permission assignment. Security flaws such as cryptographic failures, insecure design, excessive data exposure, and misconfigurations also made the list.
CVE-2022-22947 sometimes referred to as “Spring4Shell,” is at the top of the list of the four most harmful API vulnerabilities revealed and reported in the first quarter of 2022.
Two vulnerabilities are related to Spring4Shell: CVE-2022-22963, a SpEL expression injection flaw in Spring Cloud Function, and CVE-2022-22947, a code injection attack that results in remote code execution (RCE) in the Java-based Core module of the Spring Framework.
Although it was swiftly removed, a developer publicly posted exploit code for the major problem in March, making Spring4Shell a nightmare for developers who needed to implement Spring’s emergency patch right away.
Due to the ubiquity of the Spring Framework, the vulnerability was compared to Log4j. Soon after, CISA and Microsoft issued a warning on the active exploitation of the zero-day weakness. Attackers used the bug to expand the Mirai botnet after that.
The second vulnerability at the top of the list for API vulnerabilities is CVE-2022-26501 (CVSS 9.8), a flaw in Veeam Backup and Replication’s authentication process that enables remote code execution by attackers without authentication. Over 400,000 clients, many of them large businesses, are supported by Veeam.
The major problem, CVE-2022-26501, had the potential to “be exploited in real attacks and put many businesses at significant risk,” according to Nikita Petrov, a Positive Technologies researcher who discovered it together with two other researchers.
The third issue, which has been given yet another CVSS score of 9.8, has an effect on the enterprise-grade open source network tool Zabbix. The tool’s front end was vulnerable to privilege escalation and admin session hijacking when a non-default setting to allow SAML SSO authentication was in use, as long as an attacker knew the admin’s login. This vulnerability is tracked as CVE-2022-23131.
The fourth vulnerability is CVE-2022-24327, a lower-grade problem with a CVSS score of 7.8 but nevertheless regarded as a serious one. A flaw was discovered in the JetBrains suite hub that affected developer accounts that were incorporated into the hub and that unintentionally exposed API keys with privileged access, opening the door to account takeover or hijacking.
Finally, Wallarm has identified a group of API security concerns as a common thread among many of today’s cyberattacks. The problems with the system authorization feature, which allows key values to be changed and users to access other users’ data or records without permission, are referred to by Mitre as “CWE-639: Authorization Bypass Through User-Controlled Key.”
Due to their essential roles in contemporary networks and services, APIs will continue to be a target for cyber-attackers as long as they are in use.
Recent developments in API security have seen the introduction of API security platform evaluation capabilities by the open-source hacking tool GoTestWAF, which simulates OWASP and API attacks to test API security defenses.