HTTP Trace method enabled on PAM Proxy port 27077
search cancel

HTTP Trace method enabled on PAM Proxy port 27077


Article ID: 252244


Updated On:


CA Privileged Access Manager (PAM)


A vulnerability scan revealed that the HTTP Track or Trace method is enabled for the web service running on port 27077. A local or remote unprivileged user may be able to abuse the HTTP TRACE/TRACK functionality to gain access to sensitive information in HTTP headers when making HTTP requests.


Release : 4.0-4.0.3, 4.1-4.1.1


The Windows Proxy uses Jetty and did not explicitly disable the TRACE method in release prior to 4.0.4 and 4.1.2.


This problem is fixed in PAM 4.1.2+, see the following item on documentation page Resolved Issues in 4.1.2:

33224672    DE545335    Potential vulnerability: HTTP Track/Trace method is enabled in PAM Windows Proxy.

Additional Information

This can be tested with the following curl command:

curl -v -X TRACE http://<proxy server address>:27077


For a PAM 4.1.1 Windows Proxy the response would include:


< HTTP/1.1 200 OK
< Date: Wed, 26 Jun 2024 21:38:57 GMT
< Content-Type: message/http
< Content-Length: 83
< Server: Jetty(9.4.44.v20210927)


For a newer Windows Proxy version the response will show:


< HTTP/1.1 403 Forbidden
< Content-Length: 0
< Server: Jetty(9.4.44.v20210927)