A vulnerability scan revealed that the HTTP Track or Trace method is enabled for the web service running on port 27077. A local or remote unprivileged user may be able to abuse the HTTP TRACE/TRACK functionality to gain access to sensitive information in HTTP headers when making HTTP requests. https://cwe.mitre.org/data/definitions/16.html
Release : 4.0-4.0.3, 4.1-4.1.1
The Windows Proxy uses Jetty and did not explicitly disable the TRACE method in release prior to 4.0.4 and 4.1.2.
This problem is fixed in PAM 4.1.2+, see the following item on documentation page Resolved Issues in 4.1.2:
33224672 DE545335 Potential vulnerability: HTTP Track/Trace method is enabled in PAM Windows Proxy.
This can be tested with the following curl command:
curl -v -X TRACE http://<proxy server address>:27077
For a PAM 4.1.1 Windows Proxy the response would include:
...
< HTTP/1.1 200 OK
< Date: Wed, 26 Jun 2024 21:38:57 GMT
< Content-Type: message/http
< Content-Length: 83
< Server: Jetty(9.4.44.v20210927)
...
For a newer Windows Proxy version the response will show:
...
< HTTP/1.1 403 Forbidden
< Content-Length: 0
< Server: Jetty(9.4.44.v20210927)