|
Unreachable RouteRule
|
Medium |
Proxy |
Code Quality |
CWE-561
|
|
Unreachable Flow
|
Medium |
Target
Proxy |
Code Quality |
CWE-561
|
|
Unreachable FaultRule
|
Medium |
Target
Proxy |
Code Quality |
CWE-561
|
|
ServiceCallout policy uses default message object as a response
|
Medium |
ServiceCallout |
Code Quality |
CWE-200
|
|
ServiceCallout policy uses default message object as a request
|
Medium |
ServiceCallout |
Code Quality |
CWE-200
|
|
Sensitive information is in the source code
|
Critical |
Step |
Data at Rest |
CWE-256
CWE-312
|
|
Request content is stringified
|
Critical |
Step |
Data Validation
DoS Protection |
CWE-20
|
|
Private flow variable is written into public one
|
Medium |
Step |
Data at Rest |
CWE-532
|
|
No SpikeArrest policy is applied
|
Medium |
Proxy |
Code Quality
DoS Protection |
CWE-770
|
|
MatchesPath is applied to a static parameter
|
Medium |
Target
Proxy |
Code Quality
Data Validation |
CWE-20
|
|
Masked flow variable is written into unmasked one
|
Medium |
Step |
Data at Rest |
CWE-532
|
|
Lack of certificate validation
|
Critical |
ServiceCallout
MessageLogging
Target |
Data in Transit |
CWE-295
|
|
Lack of DefaultFaultRule
|
Medium |
Target
Proxy |
Error Handling |
CWE-390
|
|
JWT/JWS is decoded but not verified in the same flow phase
|
Critical |
Step |
Authentication & Authorisation |
CWE-347
|
|
Insecure token expiration configuration
|
Medium |
OAuthV2 |
Secure Configuration |
CWE-613
|
|
Insecure JSONThreatProtection policy
|
Medium |
JSONThreatProtection |
Code Quality
Data Validation |
CWE-770
CWE-20
|
|
Flow doesn't limit HTTP methods correctly
|
Medium |
Flow |
Data Validation |
CWE-749
|
|
Flow accepts requests with any method
|
Medium |
Flow |
Data Validation |
CWE-749
|
|
Error flow variable is set but not checked in request phase
|
Medium |
Step |
Error Handling |
CWE-390
|
|
Connection to the system is not encrypted
|
Critical |
ServiceCallout
MessageLogging
Target |
Data in Transit |
CWE-319
|