A vulnerability scan revealed that the HTTP Track or Trace method is enabled for the web service running on port 27077. A local or remote unprivileged user may be able to abuse the HTTP TRACE/TRACK functionality to gain access to sensitive information in HTTP headers when making HTTP requests. https://cwe.mitre.org/data/definitions/16.html

Release : 4.0-4.0.3, 4.1-4.1.1

The Windows Proxy uses Jetty and did not explicitly disable the TRACE method in release prior to 4.0.4 and 4.1.2.

This problem is fixed in PAM 4.1.2+, see the following item on documentation page Resolved Issues in 4.1.2:

33224672    DE545335    Potential vulnerability: HTTP Track/Trace method is enabled in PAM Windows Proxy.

This can be tested with the following curl command:

curl -v -X TRACE http://<proxy server address>:27077

For a PAM 4.1.1 Windows Proxy the response would include:

...

< HTTP/1.1 200 OK
< Date: Wed, 26 Jun 2024 21:38:57 GMT
< Content-Type: message/http
< Content-Length: 83
< Server: Jetty(9.4.44.v20210927)

...

For a newer Windows Proxy version the response will show:

...

< HTTP/1.1 403 Forbidden
< Content-Length: 0
< Server: Jetty(9.4.44.v20210927)