CVE-2020-11658

Vulnerability

CA API Developer Portal versions 4.3.1 and earlier contain an insecure handling of shared secret keys, as described in the security notice from Broadcom [1]. This vulnerability, tracked as CVE-2020-11658, allows attackers to bypass authorization mechanisms. The affected versions include all releases up to and including 4.3.1.

Exploitation

To exploit this vulnerability, an attacker needs network access to the API Developer Portal. The insecure handling of shared secret keys enables the attacker to craft requests that bypass authorization checks. No special privileges or user interaction are required for exploitation. The exact attack vector is not detailed in the available references, but the underlying flaw is in the storage or management of shared secret keys.

Impact

Successful exploitation allows an attacker to bypass authorization, potentially gaining unauthorized access to API resources and administration functions [1]. This could lead to disclosure of sensitive information or further compromise of the system.

Mitigation

Broadcom has addressed this vulnerability in a software update, as indicated in their security notice [1]. Users should apply the latest patches provided by Broadcom for CA API Developer Portal. The specific fixed version is not detailed in the references, but the advisory recommends implementing the solutions. There are no workarounds described.