IBM7634C0B259A064264562010D1E76E887D65C05E86E87D814EA7CD4EC8B545C9BSecurity Bulletin: Multiple vulnerabilities in Drupal Core affect IBM API Management (CVE-2016-9449, CVE-2016-9450, CVE-2016-9451, CVE-2016-9452)
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
Summary
Drupal is used by the Advanced Developer Portal in IBM API Management. IBM API Management has updated the level of Drupal it provides to address the applicable CVEs.
Vulnerability Details
CVEID: CVE-2016-9449**
DESCRIPTION:** Drupal Core could allow a remote authenticated attacker to obtain sensitive information, caused by an error in the database SELECT query mechanism. By sending a specially-crafted SELECT query request, a remote attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/119048> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2016-9450**
DESCRIPTION:** Drupal Core could allow a remote attacker to bypass security restrictions, caused by mishandling of proper cache context in the user password reset form. By sending a specially-crafted request, an attacker could exploit this vulnerability to perform cache poisoning and inject malicious context on the page.
CVSS Base Score: 6.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/119049> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
CVEID: CVE-2016-9451**
DESCRIPTION:** Drupal Core could allow a remote authenticated attacker to conduct phishing attacks, caused by an error in Confirmation forms. An attacker could exploit this vulnerability using a specially-crafted URL to redirect a victim to arbitrary Web sites.
CVSS Base Score: 6.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/119050> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N)
CVEID: CVE-2016-9452**
DESCRIPTION:** Drupal Core is vulnerable to a denial of service, caused by an error in transliterate mechanism. By using a specially-crafted URL, an attacker could exploit this vulnerability to cause the application to stop responding.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/119051> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Affected Products and Versions
IBM API Management V4.0.0.0 - V4.0.4.4
Remediation/Fixes
Product
| VRMF|APAR|Remediation/First Fix
—|—|—|—
IBM API Management| 4.0.0.0 - 4.0.4.4| LI79591| Apply IBM API Management V4.0.4.5
Workarounds and Mitigations
None
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm api management | eq | 4.0 |
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N