8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
IBM API Connect has addressed the following vulnerabilities.
Several security issues were fixed in PHP’s HTML-embedded scripting language interpreter.
CVEID: CVE-2018-10549 DESCRIPTION: PHP could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds read in exif_read_data in ext/exif/exif.c. By sending specially crafted data, an attacker could exploit this vulnerability to mishandle the case of a MakerNote that lacks a final ‘’\0’’ character and execute arbitrary code on the system and cause a denial of service.
CVSS Base Score: 7.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/142564> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID: CVE-2018-10548 DESCRIPTION: PHP is vulnerable to a denial of service, caused by a NULL pointer dereference in ext/ldap/ldap.c. By sending specially crafted data, an attacker could exploit this vulnerability to mishandle the ldap_get_dn return value and cause a denial of service.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/142565> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2018-10547 DESCRIPTION: PHP is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the ext/phar/phar_object.c. A remote attacker could exploit this vulnerability using request data of a request for a .phar file to execute script in a victim’'s Web browser within the security context of the hosting website, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base Score: 6.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/142566> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVEID: CVE-2018-10546 DESCRIPTION: PHP is vulnerable to a denial of service, caused by the failure to reject invalid multibyte sequences by the iconv stream filter in ext/iconv/iconv.c. An attacker could exploit this vulnerability to cause the application to enter into an infinite loop.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/142567> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2018-10545 DESCRIPTION: PHP could allow a remote attacker to obtain sensitive information, caused by the bypassing of opcache access controls by dumpable FPM child processes. An attacker could exploit this vulnerability to obtain sensitive information from the process memory of a second user’s PHP applications.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/142568> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
IBM API Connect version 5.0.0.0-5.0.8.3
Affected Product | Addressed in VRMF | APAR | Remediation/First Fix |
---|---|---|---|
IBM API Connect | 5.0.8.3 iFix | LI80204 |
Addressed in IBM API Connect Developer Portal V5.0.8.3 iFix.
Follow this link and find the “APIConnect-Portal” package dated on or after 13 June 2018.
https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7…
None
CPE | Name | Operator | Version |
---|---|---|---|
ibm api connect | eq | 5.0.8.3 |
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P