Dec 19, 2018 9:01 am EST
Categorized: High Severity
Share this post:
API Connect has addressed the following vulnerability. IBM LoopBack could allow an attacker to bypass authentication if the AccessToken Model is exposed over a REST API, because it is then possible for anyone to create an AccessToken for any User, provided they know the userID and can hence get access to the other users data / access to their privileges (if the user happens to be an Admin for example).
CVE(s): CVE-2018-1778
Affected product(s) and affected version(s):
| IBM API Connect | 2018.1-2018.4.1 |
| IBM API Connect | 5.0.8.0-5.0.8.4 |
Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://www.ibm.com/support/docview.wss?uid=ibm10733883
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/148801
from IBM Product Security Incident Response Team https://ift.tt/2EtDOu5
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.