We have a security problem with the Layer7 API Gateway 10.1 CR01
There was a pentest and hereby we found a problem with the implementation of the TRACE method in Layer7 API Gateway.
The return of 405 is ok, but the mirroring of the input headers (e.g. the authorization-header) is a security issue.
Release : 10.1
Component : API GATEWAY
This is fixed in CR2 as it was caused by a upgrade of tomcat library files in CR1
https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/10-1/release-notes/resolved-issues.html
DE532415 Resolved a potential Gateway vulnerability in which HTTP TRACE requests were returning sensitive header information.