Swagger API disclosure

XMLWordPrintable

    • Type: Task
    • Resolution: Unresolved
    • Priority: Medium
    • 3.8.0
    • Affects Version/s: None
    • FLW Sprint 37, FLW Sprint 38, FLW Sprint 39, FLW Sprint 40
    • FLW Mobile App
    • All

      The Swagger API documentation is publicly accessible without authentication.

      Impact:
      Enables attackers to enumerate endpoints, request formats, and internal API logic.

       

      Vulnerability Name Vulnerable URL CVE/CWE CVSS Score Overall Risk
      (Severity)      		 Observation / Description Impact Recommendation Reference Steps to reproduce
      https://uatamrit.piramalswasthya.org/flw-api/swagger-ui/index.html Swagger API disclosure CWE-200 5.2 Medium It was observed that the Swagger API documentation was publicly disclosed. An attacker can gain access to Swagger API documentation if it is publicly accessible, which can lead to security breach. Never disclose Swagger API documentation publicly. https://cwe.mitre.org/data/definitions/200.html Step 1: During security assessment we found that Swagger API was publicly accessible.

              Assignee:
              Vishwanath Balkur
              Reporter:
              Shashank Kharkwal
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: