ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

AWA: HTTP TRACE Enabled on REST API (Security Vulnerability)

book

Article ID: 145908

calendar_today

Updated On:

Products

CA Automic Workload Automation - Automation Engine CA Automic Workload Automation - Automation Engine

Issue/Introduction

During a security audit, it may be noted that the AWI is vulnerable to Cross Site Tracing via the HTTP TRACE method. (see: https://owasp.org/www-community/attacks/Cross_Site_Tracing).

Cause

Security Vulnerability

Environment

Release : 12.2,12.3

Component : AUTOMATION ENGINE

Resolution

REST API returns a 500 status code when a client sends and unsupported HTTP method to an existing endpoint.
An issues has been fixed where the REST API returned a 500 status code when a client sent an unsupported HTTP method to an existing endpoint. Now it returns the status code 405.

Fixed In:

Automation.Engine 12.2.5
Automation.Engine 12.3.2