Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect API Connect

Summary There are multiple vulnerabilities in IBM® Runtime Environment Java™ used by IBM API Connect. These issues were disclosed as part of the IBM Java SDK updates in July 2018. Vulnerability Details CVEID: CVE-2018-2952 DESCRIPTION: An unspecified vulnerability related to the Java SE Concurren...

Security Bulletin: IBM API Connect is affected by a NoSQL Injection in MongoDB connector for the LoopBack framework (CVE-2018-1784)

Summary IBM API Connect has addressed the following vulnerabilities. Vulnerability Details CVEID: CVE-2018-1784 DESCRIPTION: IBM API Connect is affected by a NoSQL Injection in MongoDB connector for the LoopBack framework. CVSS Base Score: 7.1 CVSS Temporal Score: See for the current score CVSS...

Security Bulletin: IBM API Connect V5 - Admin Users Can Elevate Own Permissions (CVE-2018-1973)

Summary IBM API Connect has addressed the following vulnerabilities. Vulnerability Details CVEID: CVE-2018-1973 DESCRIPTION: API Connect V5 allows a user with limited 'API Administrator' level access to give themselves full 'Administrator' level access through the members functionality. CVSS Base...

Security Bulletin: IBM API Connect is affected by a critical privilege escalation vulnerability in Kubernetes (CVE-2018-1002105)

Summary API Connect has addressed the following vulnerability. Vulnerability Details CVEID: CVE-2018-1002105 DESCRIPTION: Kubernetes could allow a remote attacker to gain elevated privileges on the system, caused by the improper handling of requests in the API server. By sending a specially craft...

Security Bulletin: IBM API Connect is affected by authentication bypass vulnerability in LoopBack (CVE-2018-1778)

Summary API Connect has addressed the following vulnerability. IBM LoopBack could allow an attacker to bypass authentication if the AccessToken Model is exposed over a REST API, because it is then possible for anyone to create an AccessToken for any User, provided they know the userID and can hen...

CVE-2018-1779

IBM API Connect 2018.1 through 2018.3.7 could allow an unauthenticated attacker to cause a denial of service due to not setting limits on JSON payload size. IBM X-Force ID: 148802...

Code injection

IBM API Connect 2018.1 through 2018.3.7 could allow an unauthenticated attacker to cause a denial of service due to not setting limits on JSON payload size. IBM X-Force ID: 148802...

CVE-2018-1779

IBM API Connect 2018.1 through 2018.3.7 could allow an unauthenticated attacker to cause a denial of service due to not setting limits on JSON payload size. IBM X-Force ID: 148802...

CVE-2018-1779

CVE-2018-1779 affects IBM API Connect 2018.1 through 2018.3.7, where the management service could be overwhelmed by unauthenticated requests containing large JSON payloads due to insufficient JSON size limits. The vulnerability can cause a denial of service, as the server may allocate excessive r...

CVE-2018-1779

IBM API Connect 2018.1 through 2018.3.7 could allow an unauthenticated attacker to cause a denial of service due to not setting limits on JSON payload size. IBM X-Force ID: 148802...

IBM API Connect Denial of Service Vulnerability (CNVD-2018-26026)

IBM API Connect aka APIConnect is an integrated solution for managing the API lifecycle from IBM USA. The solution supports creating, running, managing and securing APIs, microservices and more. A security vulnerability exists in IBM API Connect versions 2018.1 through 2018.3.7 that stems from th...

Security Bulletin: IBM API Connect is affected by a denial of service vulnerability via large JSON payloads (CVE-2018-1779)

Summary API Connect has addressed the following vulnerability. The management microservice in API Connect version 2018.1 through 2018.3.7 is vulnerable to denial of service attacks via large JSON payloads. An attacker can flood the management service with unauthenticated api requests with large...

CVE-2018-1774

IBM API Connect 5.0.0.0, 5.0.8.4, 2018.1 and 2018.3.6 is vulnerable to CSV injection via the developer portal and analytics that could contain malicious commands that would be executed once opened by an administrator. IBM X-Force ID: 148692...

CVE-2018-1774

IBM API Connect 5.0.0.0, 5.0.8.4, 2018.1 and 2018.3.6 is vulnerable to CSV injection via the developer portal and analytics that could contain malicious commands that would be executed once opened by an administrator. IBM X-Force ID: 148692...

Input validation

IBM API Connect 5.0.0.0, 5.0.8.4, 2018.1 and 2018.3.6 is vulnerable to CSV injection via the developer portal and analytics that could contain malicious commands that would be executed once opened by an administrator. IBM X-Force ID: 148692...

CVE-2018-1774

IBM API Connect is vulnerable to CSV Injection in the Developer Portal and analytics for versions 5.0.0.0–5.0.8.4 and 2018.1–2018.3.6. The underlying issue enables execution of malicious commands when opened by an administrator. Affected components include the Management server (iFix LI80404) and...

CVE-2018-1774

IBM API Connect 5.0.0.0, 5.0.8.4, 2018.1 and 2018.3.6 is vulnerable to CSV injection via the developer portal and analytics that could contain malicious commands that would be executed once opened by an administrator. IBM X-Force ID: 148692...

Security Bulletin: IBM API Connect is vulnerable to CSV Injection (CVE-2018-1774)

Summary IBM API Connect has addressed the following vulnerability. IBM API Connect is vulnerable to CSV Injection via the Developer Portal and analytics that could contain malicious commands that would be executed once opened by an administrator. Vulnerability Details CVEID: CVE-2018-1774...

Security Bulletin: IBM API Connect Developer Portal is vulnerable to Server Side Request Forgery (CVE-2018-1712)

Summary IBM API Connect has addressed the following vulnerability. IBM API Connect Developer Portal is vulnerable to Server Side Request Forgery. An attacker, using specially crafted input parameters can trick the server into making potentially malicious calls within the trusted network...

Security Bulletin: IBM API Connect is affected by multiple third-party vulnerabilities (Node.js, nghttp2, Linux, Intel CPU, Android)

Summary API Connect has addressed the following vulnerabilities. Vulnerability Details CVEID: CVE-2018-13094 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a flaw in the xfsdashrinkinode function in fs/xfs/libxfs/xfsattrleaf.c. By persuading a victim to open a...