CVE-2018-1778Improper Authentication in IBM API Connect

CWE-287Improper Authentication3 documents3 sources
Severity
8.1HIGHNVD
CNA7.7
EPSS
0.3%
top 42.55%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
IBM API Connect
Timeline
PublishedDec 20
Latest updateMay 13

Description

IBM LoopBack (IBM API Connect 2018.1, 2018.4.1, 5.0.8.0, and 5.0.8.4) could allow an attacker to bypass authentication if the AccessToken Model is exposed over a REST API, it is then possible for anyone to create an AccessToken for any User provided they know the userId and can hence get access to the other user’s data / access to their privileges (if the user happens to be an Admin for example). IBM X-Force ID: 148801.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages2 packages

NVDibm/api_connect5.0.8.05.0.8.4+1
CVEListV5ibm/api_connect4 versions+3

Patches

Patch: www.ibm.comPatch: www.ibm.com

🔴Vulnerability Details

2
GHSA
GHSA-gpvh-xcx4-jwmg: IBM LoopBack (IBM API Connect 20182022-05-13
CVEList
CVE-2018-1778: IBM LoopBack (IBM API Connect 20182018-12-20
CVE-2018-1778 — Improper Authentication in IBM | cvebase