Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMA5B4C51CA3E00E3856B07D43B6FF38F75DBF4C872A2B7260C3B009956D90E03C
HistoryJun 15, 2018 - 7:05 a.m.

Security Bulletin: Multiple vulnerabilities in NPM affects IBM API Connect (CVE-2016-3956, CVE-2016-2537, CVE-2016-2515)

2018-06-1507:05:56
www.ibm.com
6

0.023 Low

EPSS

Percentile

89.9%

JSON

Summary

IBM API Connect is affected by two ReDoS vulnerabilities in modules included in the Node.js npm tool (CVE-2016-2537, CVE-2016-2515) and Node.js Package Manager (npm) Bearer Token Vulnerability (CVE-2016-3956). These vulnerabilities are now fixed.

Vulnerability Details

CVEID: CVE-2016-2515**
DESCRIPTION:** Node.JS hawk is vulnerable to a denial of service, caused by an error in the regular expression implementation. An attacker could exploit this vulnerability using an overly long header or URI to cause the application to hang.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/110819 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2016-2537**
DESCRIPTION:** Node.js is vulnerable to a denial of service, caused by an error in the regular expression implementation. An attacker could exploit this vulnerability using a regular expression to block the event loop and cause the application to hang.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/110870 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2016-3956**
DESCRIPTION:** npm could allow a remote attacker to obtain sensitive information, caused by the unintentional leakage of bearer tokens from the command-line interface. By setting up an HTTP server and collecting token information, an attacker could exploit this vulnerability to impersonate the user and do anything the owner of the information could, including publishing new versions of packages.
CVSS Base Score: 9.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112153 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)

Affected Products and Versions

IBM API Connect V5.0

Remediation/Fixes

Product

| VRMF|APAR|Remediation/First Fix
—|—|—|—
IBM API Connect| 5.0.1| LI79108| <http://www-01.ibm.com/support/docview.wss?uid=swg21984115&gt;

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm api connecteq5.0.1.0

Related

ibm 8
cvelist 3
github 3
cve 4
osv 4
nvd 4
prion 4
nodejs 3
ubuntu 1
nessus 1
ubuntucve 1
openvas 1
debiancve 1
ibm
ibm
Security Bulletin: Current Releases of IBM® SDK for Node.js™ in IBM Bluemix are affected by CVE-2016-3956, CVE-2016-2515 and CVE-2016-2537.
2018-08-09 04:20:36
Security Bulletin: Two ReDoS vulnerabilities in modules included in the Node.js npm tool affect IBM Rational Application Developer for WebSphere Software included in Rational Developer for i and Rational Developer for AIX and Linux
2018-08-03 04:23:43
Security Bulletin: Current Releases of IBM® SDK for Node.js™ are affected by CVE-2016-2515 and CVE-2016-2537
2018-08-09 04:20:36
cvelist
cvelist
CVE-2016-2515
2016-04-13 16:00:00
CVE-2016-2537
2016-02-23 02:00:00
CVE-2016-3956
2016-07-02 14:00:00
github
github
Regular Expression Denial of Service in hawk
2018-07-31 22:52:00
Regular Expression Denial of Service in is-my-json-valid
2017-10-24 18:33:35
npm Token Leak in npm
2018-07-31 22:58:35
cve
cve
CVE-2016-2515
2016-04-13 16:59:13
CVE-2016-2537
2016-02-23 05:59:01
CVE-2016-3956
2016-07-02 14:59:19
osv
osv
Regular Expression Denial of Service in hawk
2018-07-31 22:52:00
Regular Expression Denial of Service in is-my-json-valid
2017-10-24 18:33:35
npm vulnerability
2021-03-15 21:03:23
nvd
nvd
CVE-2016-2515
2016-04-13 16:59:13
CVE-2016-2537
2016-02-23 05:59:01
CVE-2016-3956
2016-07-02 14:59:19
prion
prion
Input validation
2016-04-13 16:59:00
Design/Logic Flaw
2016-02-23 05:59:00
Authorization
2016-07-02 14:59:00
nodejs
nodejs
Regular Expression Denial of Service
2016-01-19 21:50:30
Regular Expression Denial of Service
2016-01-17 21:04:10
npm Token Leak
2016-04-01 16:57:21
ubuntu
ubuntu
npm vulnerability
2021-03-15 00:00:00
nessus
nessus
Ubuntu 16.04 ESM / 18.04 ESM : npm vulnerability (USN-4785-1)
2023-10-16 00:00:00
ubuntucve
ubuntucve
CVE-2016-3956
2016-07-02 00:00:00
openvas
openvas
Ubuntu: Security Advisory (USN-4785-1)
2023-01-27 00:00:00
debiancve
debiancve
CVE-2016-3956
2016-07-02 14:59:19

0.023 Low

EPSS

Percentile

89.9%

JSON
Related for A5B4C51CA3E00E3856B07D43B6FF38F75DBF4C872A2B7260C3B009956D90E03C
ibm8cvelist3github3cve4osv4nvd4prion4nodejs3ubuntu1nessus1ubuntucve1openvas1debiancve1