SCA: security update for io.apiman:apiman-manager-api-rest-impl (GHSA-m6f8-hjrv-mw5f)

low Tenable Cloud Security Plugin ID 416777

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Apiman is a flexible and open source API Management platform. Due to a missing permissions check, an
attacker with an authenticated Apiman Manager account may be able to gain access to API keys they do not
have permission for if they correctly guess the URL, which includes Organisation ID, Client ID, and Client
Version of the targeted non-permitted resource. While not trivial to exploit, it could be achieved by
brute-forcing or guessing common names. Access to the non-permitted API Keys could allow use of other
users' resources without their permission (depending on the specifics of configuration, such as whether an
API key is the only form of security). Apiman 3.1.0.Final resolved this issue. Users are advised to
upgrade. The only known workaround is to restrict account access. (CVE-2023-28640)

See Also

https://github.com/advisories/GHSA-m6f8-hjrv-mw5f

Plugin Details

Severity: Low

ID: 416777

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Low

Base Score: 2.1

Temporal Score: 1.6

Vector: CVSS2#AV:N/AC:H/Au:S/C:P/I:N/A:N

CVSS Score Source: CVE-2023-28640

CVSS v3

Risk Factor: Low

Base Score: 3.1

Temporal Score: 2.7

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 3/27/2023

Vulnerability Publication Date: 3/27/2023

Reference Information

CVE: CVE-2023-28640