|
User-controlled data in ServiceCallout
|
High |
Step |
Data Validation |
CWE-233
CWE-20
|
|
Condition has undefined variables
|
Medium |
Step
RouteRule
Flow |
Code Quality |
CWE-570
CWE-571
|
|
Error flow variable is set but not checked in request phase
|
Medium |
Step |
Error Handling |
CWE-390
|
|
Flow accepts requests with any method
|
Medium |
Flow |
Data Validation |
CWE-749
|
|
Flow doesn't limit HTTP methods correctly
|
Medium |
Flow |
Data Validation |
CWE-749
|
|
Lack of DefaultFaultRule
|
Medium |
Target
Proxy |
Error Handling |
CWE-390
|
|
Masked flow variable is written into unmasked one
|
Medium |
Step |
Data at Rest |
CWE-532
|
|
MatchesPath is applied to a static parameter
|
Medium |
Target
Proxy |
Code Quality
Data Validation |
CWE-20
|
|
No SpikeArrest policy is applied
|
Medium |
Proxy |
Code Quality
DoS Protection |
CWE-770
|
|
Private flow variable is written into public one
|
Medium |
Step |
Data at Rest |
CWE-532
|
|
Unreachable FaultRule
|
Medium |
Target
Proxy |
Code Quality |
CWE-561
|
|
Unreachable Flow
|
Medium |
Target
Proxy |
Code Quality |
CWE-561
|
|
Unreachable RouteRule
|
Medium |
Proxy |
Code Quality |
CWE-561
|
|
Cache lookup variable is overwritten
|
Low |
Step |
Code Quality |
CWE-472
|
|
Missing security headers
|
Low |
Proxy |
Secure Configuration |
CWE-523
|
|
No mask configuration for the proxy
|
Low |
Proxy |
Code Quality |
|
|
Overcomplicated or malformed condition
|
Low |
Step
RouteRule
Flow |
Code Quality |
CWE-570
CWE-571
|
|
Policy errors are not caught
|
Low |
Step |
Error Handling |
CWE-390
|
|
Step operates undefined flow variables
|
Low |
Step |
Code Quality |
CWE-457
|
|
Missing API versioning
|
Info |
Proxy |
Secure Configuration |
CWE-710
|