Our FSI customer has identified following High Severity vulnerability which needs fixing before they deploy within Organization. We have informed that it is a expected behavior but they still need it secured. 

 
Finding 1 - Web Service Does Not Require Authentication (Severity High (7.1)):
 
Summary

The web service does not enforce the use of a suitable authentication mechanism

 
Impact

Any client may access and execute the web services without proper authentication.

Details

As noted in the request/response pair below, the APIs do not require any sort of authentication.

 

Request:

GET /api/v1/users/ismalik HTTP/1.1

Host: <Quay application>

X-Requested-With: XMLHttpRequest

 

Response:

HTTP/1.1 200 OK

server: nginx/1.22.1

date: Wed, 18 Sep 2024 21:55:55 GMT

content-type: application/json

content-length: 187

access-control-allow-origin: *

access-control-allow-methods: DELETE, GET, HEAD, OPTIONS, POST, PUT

access-control-max-age: 21600

access-control-allow-headers: AUTHORIZATION, CONTENT-TYPE, X-REQUESTED-WITH

vary: Cookie

x-frame-options: DENY

set-cookie: 430d902ba2c313bee41fbdb58112e1ef=5dc9714fce72b05cb8ea399d31821c9b;

path=/; HttpOnly; Secure; SameSite=None

{"anonymous": false, "username": "ismalik", "avatar":

{"name": "ismalik", "hash": “", "color": "#6b6ecf", "kind": "user”}

 

Remediation Recommendations

Enforce authentication controls for all web service transactions. This can be any of the following

options:

• TLS mutual authentication

• API key with a shared secret over a TLS connection

• Username/password combination over a TLS connection