Command Injection

Overview apiconnect-cli-plugins is a Plugin for IBM API Connect Developer Toolkit. Affected versions of this package are vulnerable to Command Injection. The argument pluginUri can be controlled by users without any sanitization. PoC var root = require"apiconnect-cli-plugins"; var payload = "&...

Security Bulletin: IBM API Connect is impacted by an unspecified vulnerability in Java (CVE-2020-2604)

Summary IBM API Connect has addressed the following vulnerability. Vulnerability Details CVEID: CVE-2020-2604 DESCRIPTION: An unspecified vulnerability in Java SE could allow an unauthenticated attacker to take control of the system. CVSS Base score: 8.1 CVSS Temporal Score: See:...

Security Bulletin: API Connect is impacted by multiple vulnerabilities in Oracle MySQL.

Summary IBM API Connect had addressed the following vulnerabilities. Vulnerability Details CVEID: CVE-2019-2791 DESCRIPTION: An unspecified vulnerability in Oracle MySQL related to the Server Server: Audit Plug-in component could allow an authenticated attacker to cause low confidentiality impact...

CVE-2019-4553

IBM API Connect V5.0.0.0 through 5.0.8.7iFix3 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 165958...

CVE-2019-4553

IBM API Connect V5.0.0.0 through 5.0.8.7iFix3 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 165958...

Code injection

IBM API Connect V5.0.0.0 through 5.0.8.7iFix3 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 165958...

CVE-2019-4553

CVE-2019-4553 affects IBM API Connect V5.0.0.0–5.0.8.7iFix3. The issue stems from the use of weaker-than-expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. Affected product versions include API Connect V5.0.0.0 through 5.0.8.7iFix3. Remediation...

CVE-2019-4553

IBM API Connect V5.0.0.0 through 5.0.8.7iFix3 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 165958...

Security Bulletin: IBM API Connect is impacted by an unspecified vulnerability in Java (CVE-2019-2989)

Summary IBM API Connect has addressed the following vulnerability. Vulnerability Details CVEID: CVE-2019-2989 DESCRIPTION: An unspecified vulnerability in Java SE could allow an unauthenticated attacker to cause no confidentiality impact, high integrity impact, and no availability impact. CVSS Ba...

Security Bulletin: API Connect V2018 is impacted by a information disclosure vulnerability (CVE-2019-4437)

Summary IBM API Connect has addressed the following vulnerability. Vulnerability Details CVEID: CVE-2019-4437 DESCRIPTION: IBM API Connect Developer Portal may inadvertently leak sensitive details about internal servers and network via API swagger. CVSS Base Score: 8.2 CVSS Temporal Score: See fo...

IBM API Connect weak encryption vulnerability (CNVD-2020-17503)

IBM API Connect APIConnect is a suite of integrated solutions for managing the API lifecycle from IBM USA. The product supports creating, running, managing, and securing APIs, microservices, and more. A weak encryption vulnerability exists in IBM API Connect versions V5.0.0.0 through 5.0.8.7iFix3...

Security Bulletin: IBM API Connect is impacted by weak cryptographic algorithms (CVE-2019-4553)

Summary IBM API Connect has addressed the following vulnerability. Vulnerability Details CVEID: CVE-2019-4553 DESCRIPTION: IBM API Connect uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. CVSS Base score: 5.9 CVSS Temporal...

Security Bulletin: IBM API Connect's Developer Portal is impacted by a denial of service vulnerability in MySQL (CVE-2019-2805)

Summary IBM API Connect has addressed the following vulnerability. Vulnerability Details CVEID: CVE-2019-2805 DESCRIPTION: Vulnerability in the MySQL Server component of Oracle MySQL subcomponent: Server: Parser. Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0....

Security Bulletin: API Connect's Developer Portal is impacted by vulnerabilities in PHP

Summary IBM API Connect has addressed the following vulnerability. Vulnerability Details CVEID: CVE-2019-11035 DESCRIPTION: PHP could allow a remote attacker to obtain sensitive information, caused by heap-based buffer overflow in the exifiifaddvalue function in the EXIF extension. By persuading ...

Security Bulletin: API Connect is impacted by multiple vulnerabilities in Oracle MySQL

Summary IBM API Connect has addressed the following vulnerabilities. Vulnerability Details CVEID: CVE-2019-2991 DESCRIPTION: Vulnerability in the MySQL Server product of Oracle MySQL component: Server: Optimizer. Supported versions that are affected are 8.017 and prior. Easily exploitable...

Security Bulletin: IBM API Connect is potentially impacted by vulnerabilities in MySQL

Summary IBM API Connect has addressed the following vulnerabilities. Vulnerability Details CVEID: CVE-2019-2693 DESCRIPTION: Vulnerability in the MySQL Server component of Oracle MySQL subcomponent: Server: Optimizer. Supported versions that are affected are 8.0.15 and prior. Easily exploitable...

Security Bulletin: IBM API Connect is impacted by vulnerabilities in Golang (CVE-2019-17596 CVE-2019-16276)

Summary IBM API Connect has addressed the following vulnerability. Vulnerability Details CVEID: CVE-2019-17596 DESCRIPTION: Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios, such...

Security Bulletin: IBM API Connect V5 is impacted by a denial of service vulnerability in Linux kernel (CVE-2019-11477)

Summary IBM API Connect has addressed the following vulnerability. Vulnerability Details CVEID: CVE-2019-11477 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by an integer overflow when processing TCP Selective Acknowledgement SACK capabilities. By sending specially-crafte...

Security Bulletin: IBM API Connect's Developer Portal is impacted by critical vulnerabilities in Drupal (SA-CORE-2019-009, SA-CORE-2019-011, SA-CORE-2019-012, SA-CORE-2019-010)

Summary IBM API Connect has addressed the following vulnerability. Vulnerability Details Third Party Entry: 173284 DESCRIPTION: Drupal security bypass CVSS Base score: 5.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/173284 for the current score. CVSS Vector:...

Security Bulletin: IBM API Connect is impacted by a vulnerability in Kubernetes (CVE-2019-11251)

Summary IBM API Connect has addressed the following vulnerability. Vulnerability Details CVEID: CVE-2019-11251 DESCRIPTION: Kubernetes could allow a remote attacker to gain unauthorized access to the system, caused by an error in kubectl cp that allows a combination of two symlinks to copy a file...