FastApiAdmin Information Disclosure Vulnerability in Custom Documentation Endpoint

A vulnerability allowing information disclosure exists in FastApiAdmin versions through 2.2.0. The issue arises in the 'reset_api_docs' function within '/backend/app/plugin/init_app.py', where custom API documentation endpoints are made available without authentication or authorization. This flaw enables unauthenticated attackers to access the OpenAPI specification and documentation pages, facilitating the enumeration of endpoints, parameters, models, and other metadata that could be exploited in targeted attacks or lead to the leakage of sensitive implementation details.

Impact

Exploitation of this vulnerability allows unauthorized access to API documentation and the OpenAPI specification, including metadata that could be used for targeted attacks, according to VulDB.

Reproduction

The vulnerability can be reproduced by accessing the API documentation endpoints, such as '/api/v1/openapi.json', without any authentication or authorization. This can be done remotely, as the vulnerability is exposed to the public.

Remediation

It is recommended to implement authentication and authorization for the documentation endpoints, restrict access to authorized users only, disable automatic API documentation generation in production environments, and use environment-based configuration to expose documentation only in development or staging environments.