OData feed accessible anonymously
Description
OData (Open Data Protocol) is an ISO/IEC approved, OASIS standard that defines best practices for building and consuming RESTful APIs. This vulnerability indicates that an OData feed endpoint is accessible without any authentication requirements, allowing anonymous users to query and retrieve data from the service.
This configuration issue is commonly found in Microsoft Power Apps portals and other OData-enabled services where default permissions have not been properly restricted.
Remediation
Implement authentication and authorization controls for the OData feed to restrict access to authorized users only:
1. Review the data exposed through the OData endpoint to determine its sensitivity level
2. Configure authentication requirements on the OData service endpoint to require valid credentials
3. Implement role-based access controls (RBAC) to ensure users can only access data appropriate to their privilege level
4. For Microsoft Power Apps portals, navigate to Portal Management → Site Settings and disable anonymous access by setting the appropriate table permissions
5. Apply the principle of least privilege by explicitly defining which entities and fields should be accessible through the OData feed
6. Regularly audit OData endpoint configurations and access logs to detect unauthorized access attempts
If the data is intended to be public, document this decision and ensure no sensitive information is included in the feed.