Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBME1E23385784EE6A273817DDEF72E5E6A1F520AEA9AC6AD22B2628C3BF9B94E85
HistoryApr 28, 2021 - 8:38 p.m.

Security Bulletin: IBM API Connect is vulnerable to cookie forgery via PHP (CVE-2020-7070)

2021-04-2820:38:52
www.ibm.com
14

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.002 Low

EPSS

Percentile

58.4%

JSON

Summary

IBM API Connect has addressed the following vulnerability.

Vulnerability Details

CVEID:CVE-2020-7070
**DESCRIPTION:**PHP could allow a remote attacker to bypass security restrictions, caused by the lack of validation/integrity check security for HTTP cookie. By using a specially-crafted HTTP cookie, an attacker could exploit this vulnerability to forge a secure cookie.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/189237 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM API Connect V5.0.0.0-5.0.8.10
IBM API Connect V10.0.1.0
IBM API Connect V2018.4.1.0-2018.4.1.12

Remediation/Fixes

Affected Product Addressed in VRMF APAR Remediation/First Fix
IBM API Connect V5.0.0.0-5.0.8.10 5.0.8.10 iFix LI81915

Addressed in IBM API Connect 5.0.8.10 iFix published on or after December 16, 2020.

Developer Portal is impacted.

Follow this link and find the “Portal” package.

http://www.ibm.com/support/fixcentral/swg/quickorder

IBM API Connect

V2018.4.1.0-2018.4.1.13

| 2018.4.1.15|

LI81915

|

Addressed in IBM API Connect V2018.4.1.15.

Developer Portal is impacted.

Follow this link and find the “Portal” package.

http://www.ibm.com/support/fixcentral/swg/quickorder

IBM API Connect

V10.0.1.0

| 10.0.1.1|

LI81915

|

Addressed in IBM API Connect V10.0.1.1

Developer Portal is impacted.

Follow this link and find the “Portal” package.

http://www.ibm.com/support/fixcentral/swg/quickorder

Workarounds and Mitigations

None

Related

nessus 38
openvas 24
debian 2
osv 8
mageia 1
veracode 1
ubuntu 2
fedora 3
ubuntucve 1
suse 2
redhatcve 1
altlinux 2
prion 1
debiancve 1
alpinelinux 1
f5 1
cve 1
gentoo 1
github 1
amazon 1
friendsofphp 1
redhat 2
rocky 1
oraclelinux 1
almalinux 1
cloudlinux 1
nessus
nessus
Debian DLA-2397-1 : php7.0 security update
2020-10-07 00:00:00
SUSE SLES12 Security Update : php5 (SUSE-SU-2020:2894-1)
2020-12-09 00:00:00
SUSE SLES12 Security Update : php7 (SUSE-SU-2020:2920-1)
2020-12-09 00:00:00
openvas
openvas
SUSE: Security Advisory (SUSE-SU-2020:2920-1)
2021-06-09 00:00:00
SUSE: Security Advisory (SUSE-SU-2020:14516-1)
2021-06-09 00:00:00
Mageia: Security Advisory (MGASA-2020-0387)
2022-01-28 00:00:00
debian
debian
[SECURITY] [DLA 2397-1] php7.0 security update
2020-10-06 21:42:36
[SECURITY] [DSA 4856-1] php7.3 security update
2021-02-17 22:08:33
osv
osv
php7.0 - security update
2020-10-06 00:00:00
BIT-php-2020-7070
2024-03-06 11:05:57
CVE-2020-7070
2020-10-02 15:15:12
mageia
mageia
Updated php packages fix a security vulnerability
2020-10-16 20:04:43
veracode
veracode
Cookie Injection
2020-10-02 06:07:42
ubuntu
ubuntu
PHP vulnerabilities
2020-10-27 00:00:00
PHP vulnerabilities
2020-10-14 00:00:00
fedora
fedora
[SECURITY] Fedora 31 Update: php-7.3.23-1.fc31
2020-10-07 20:45:40
[SECURITY] Fedora 33 Update: php-7.4.11-1.fc33
2020-10-04 00:16:01
[SECURITY] Fedora 32 Update: php-7.4.11-1.fc32
2020-10-07 20:37:09
ubuntucve
ubuntucve
CVE-2020-7070
2020-10-02 00:00:00
suse
suse
Security update for php7 (important)
2020-10-29 00:00:00
Security update for php7 (important)
2020-10-20 00:00:00
redhatcve
redhatcve
CVE-2020-7070
2020-10-06 21:20:55
altlinux
altlinux
Security fix for the ALT Linux 9 package php7 version 7.3.23-alt1
2020-10-10 00:00:00
Security fix for the ALT Linux 8 package php7 version 7.2.34-alt1
2020-10-13 00:00:00
prion
prion
Information disclosure
2020-10-02 15:15:00
debiancve
debiancve
CVE-2020-7070
2020-10-02 15:15:00
alpinelinux
alpinelinux
CVE-2020-7070
2020-10-02 15:15:00
f5
f5
K11435435 : PHP vulnerability CVE-2020-7070
2020-10-22 00:00:00
cve
cve
CVE-2020-7070
2020-10-02 15:15:00
gentoo
gentoo
PHP: Multiple vulnerabilities
2020-12-23 00:00:00
github
github
ReactPHP's HTTP server parses encoded cookie names so malicious `__Host-` and `__Secure-` cookies can be sent
2022-09-16 18:48:53
amazon
amazon
Medium: php72, php73
2020-10-26 18:16:00
friendsofphp
friendsofphp
ReactPHP's HTTP server parses encoded cookie names so malicious `__Host-` and `__Secure-` cookies can be sent
2022-08-20 11:11:00
redhat
redhat
(RHSA-2021:4213) Moderate: php:7.4 security, bug fix, and enhancement update
2021-11-09 08:42:20
(RHSA-2021:2992) Moderate: rh-php73-php security, bug fix, and enhancement update
2021-08-03 08:11:09
rocky
rocky
php:7.4 security, bug fix, and enhancement update
2021-11-09 08:42:20
oraclelinux
oraclelinux
php:7.4 security, bug fix, and enhancement update
2021-11-16 00:00:00
almalinux
almalinux
Moderate: php:7.4 security, bug fix, and enhancement update
2021-11-09 08:42:20
cloudlinux
cloudlinux
Fix of 227 CVE
2020-10-15 12:00:00

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.002 Low

EPSS

Percentile

58.4%

JSON
Related for E1E23385784EE6A273817DDEF72E5E6A1F520AEA9AC6AD22B2628C3BF9B94E85
nessus38openvas24debian2osv8mageia1veracode1ubuntu2fedora3ubuntucve1suse2redhatcve1altlinux2prion1debiancve1alpinelinux1f51cve1gentoo1github1amazon1friendsofphp1redhat2rocky1oraclelinux1almalinux1cloudlinux1