api-management-developer-portal icon indicating copy to clipboard operation
api-management-developer-portal copied to clipboard

Published 20 hours ago verified publisher icon Azure

Version Disclosure (Lodash)

Open Harmanpreet-96 opened this issue 2 years ago • 11 comments

Bug description

Security scan identified a version disclosure (Lodash) in the target web server's HTTP response. This information can help an attacker gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of Lodash.

Impact An attacker might use the disclosed information to harvest specific security vulnerabilities for the version identified.

Reproduction steps

  1. Go to '...'
  2. Click on '....'
  3. Scroll down to '....'
  4. See error

Expected behavior

Configure your web server to prevent information leakage.

Is your portal managed or self-hosted?

Managed

Release tag or commit SHA (if using self-hosted version)

[e.g., release 2.0.0, commit c45da9778b70d369aba60fa2e63c191efe2b548f]

API Management service name

enterprise-apim-dev

Environment

  • Operating system: [e.g., iOS]
  • Browser: [e.g., Google Chrome, Safari]
  • Version: [e.g., 22]

Additional context

Add any other context about the problem here, including screenshots.

Harmanpreet-96 avatar Jul 31 '23 11:07 Harmanpreet-96

@Harmanpreet-96, thank you for opening this issue. We will triage it within the next few business days.

ghost avatar Jul 31 '23 11:07 ghost

Hello @Harmanpreet-96 I couldn't find where is the version exposed, could you please provide us with exact reproduction steps?

JMach1 avatar Jul 31 '23 15:07 JMach1

@Harmanpreet-96, we need more information before we start working on this issue. If you prefer to share it in private, please send us an email to [email protected] with the issue number in its subject.

ghost avatar Jul 31 '23 15:07 ghost

For Version Disclosure (Lodash), the commands below can be executed on the browser’s console. '.templateSettings.imports..templateSettings.imports._.VERSION'

Harmanpreet-96 avatar Aug 09 '23 14:08 Harmanpreet-96

@Harmanpreet-96 that's not a valid snippet of code to execute so your instructions are not reproducible. Can you please specify more exactly what to execute in the developer tools console that will display the Lodash version?

@JMach1, FYI, this finding comes from an Invicti Enterprise security scan.

brsolomon-deloitte avatar Aug 29 '23 16:08 brsolomon-deloitte

Related: https://github.com/lodash/lodash/issues/5704

brsolomon-deloitte avatar Aug 29 '23 16:08 brsolomon-deloitte

I am not able to add an underscore in front of this command.

.templateSettings.imports..templateSettings.imports._.VERSION

Harmanpreet-96 avatar Aug 29 '23 16:08 Harmanpreet-96

.templateSettings.imports..templateSettings.imports..VERSION

@Harmanpreet-96 Again: that is not a valid variable name. What specifically are you suggesting?

image

brsolomon-deloitte avatar Aug 29 '23 16:08 brsolomon-deloitte

image

Harmanpreet-96 avatar Aug 29 '23 17:08 Harmanpreet-96

Any updates?

Harmanpreet-96 avatar Jan 15 '24 14:01 Harmanpreet-96

Resolved console disclosure of the "underscore" variable by updating lodash imports. Replaced:

import { isEqual } from "lodash";

with:

import isEqual from "lodash/isEqual";

The issue was resolved for me

eduardhyan avatar Feb 01 '24 08:02 eduardhyan

This issue is related to managed developer portal. We advise you to create a Azure support request to get assistance on this issue. Please refer to the below link to create a new Azure support request, Please select Problem Type = "Developer Portal" in the request to route it appropriately.

https://learn.microsoft.com/en-us/azure/azure-portal/supportability/how-to-create-azure-support-request

mrcarlosdev avatar Mar 29 '24 17:03 mrcarlosdev