search cancel

PAM Port 9092 called for HTTP TRACE Method Enabled (CWE 16) vulnerability

book

Article ID: 254273

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

Customer's vulnerability scan that calls the vulnerability (HTTP TRACE Method Enabled - CWE 16) for PAM port 9092. The HTTP TRACE method is normally used to return the full HTTP request back to the requesting client for proxy-debugging purposes. A local or remote unprivileged user may be able to abuse the HTTP TRACE/TRACK functionality to gain access to sensitive information in HTTP headers when making HTTP requests. https://cwe.mitre.org/data/definitions/16.html

Environment

Release : 4.0

Cause

A local or remote unprivileged user may be able to abuse the HTTP TRACE/TRACK functionality to gain access to sensitive information

Resolution

Upgrade to PAM version 4.0.1 and above, where Port 9092 has been disabled.

Additional Information

None.