Description

The Haproxy provides Data Plane API for accessing various information and configuring it. Acunetix determined that it was possible to access this API without authentication or using weak/known login and password.

Remediation

Restrict access to the Haproxy Data Plane API interface

References

Data Plane API Installation

Related Vulnerabilities

Oracle HTTP Server Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2015-3195)

WordPress Plugin WordPress Backup to Dropbox Information Disclosure (4.7.1)

WordPress Plugin Media Library Assistant Information Disclosure (3.00)

Moodle Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2009-4303)

Moodle Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2019-3848)

Severity

High

Classification

CWE-200 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N

Tags

Default Credentials Weak Credentials Configuration Abuse Of Functionality