CVE-2018-1843

CWE-200 — Information Exposure4 documents4 sources

Severity

4.1MEDIUM

EPSS

0.0%

top 85.38%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

IBM Cloud Private

Timeline

PublishedNov 21

Latest updateMay 13

Description

The Identity and Access Management (IAM) services (IBM Cloud Private 3.1.0) do not use a secure channel, such as SSL, to exchange information only when accessed internally from within the cluster. It could be possible for an attacker with access to network traffic to sniff packets from the connection and uncover data. IBM X-Force ID: 150903

CVSS vector

CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:NExploitability: 0.5 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5ibm/cloud_private3.1.0

▶NVDibm/cloud_private3.1.0

Patches

Patch: www.ibm.com ↗Patch: www.ibm.com ↗

🔴Vulnerability Details

GHSA

GHSA-rx49-5ww7-rr37: The Identity and Access Management (IAM) services (IBM Cloud Private 3↗2022-05-13

▶

CVEList

CVE-2018-1843: The Identity and Access Management (IAM) services (IBM Cloud Private 3↗2018-11-21

▶

💬Community

Bugzilla

CVE-2018-1323 isapi_redirect: Mishandled HTTP request paths in jk_isapi_plugin.c can lead to unintended exposure of application resources via the reverse proxy↗2018-03-13

▶