CVE-2018-2009 — Sensitive Information Exposure in IBM API Connect

CWE-200 — Sensitive Information Exposure CWE-22 — Path Traversal6 documents6 sources

Severity

6.5MEDIUMNVD

GHSA5.0

EPSS

0.2%

top 52.52%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

IBM API Connect

Timeline

PublishedMar 11

Latest updateMay 14

Description

IBM API Connect v2018.1 and 2018.4.1 is affected by an information disclosure vulnerability in the consumer API. Any registered user can obtain a list of all other users in all other orgs, including email id/names, etc. IBM X-Force ID: 155148.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶NVDibm/api_connect2018.1.0 — 2018.4.1.0

▶CVEListV5ibm/api_connect2018.1, 2018.4.1+1

🔴Vulnerability Details

GHSA

Apache ODE Path Traversal vulnerability↗2022-05-14

▶

GHSA

GHSA-c963-547x-7462: IBM API Connect v2018↗2022-05-13

▶

CVEList

CVE-2018-2009: IBM API Connect v2018↗2019-03-11

▶

💥Exploits & PoCs

Exploit-DB

MyCars Automotive - Authentication Bypass↗2009-06-08

▶