Security Bulletin: Weak Cipher available in IBM API Connect (CVE-2015-2808)

Summary A weak cipher is available for TLS and SSL connections used by IBM API Connect.. Vulnerability Details CVEID: CVE-2015-2808 DESCRIPTION: The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploi...

Security Bulletin: API security restrictions can be bypassed in IBM API Connect (CVE-2017-1328)

Summary APIs managed by API Connect which are protected by security restrictions could be accessed without providing valid security credentials. Vulnerability Details CVEID: CVE-2017-1328 DESCRIPTION: IBM API Connect could allow a remote attacker to bypass security restrictions of the api, caused...

Security Bulletin: IBM API Connect Developer Portal is vulnerable to unauthenticated remote code execution (CVE-2017-1161)

Summary An unauthenticated remote code execution vulnerability affects IBM API Connect Developer Portal. IBM has addressed this vulnerability. Vulnerability Details CVEID: CVE-2017-1161 DESCRIPTION: IBM API Connect could allow a remote attacker to execute arbitrary commands on the system, caused ...

Security Bulletin: Multiple vulnerabilities in Node.js affects IBM API Connect (CVE-2016-7099, CVE-2016-5325)

Summary IBM API Connect is affected by three vulnerabilities in Node.js CVE-2016-7099, CVE-2016-5325 and one for which a CVE ID was not assigned. These vulnerabilities are now fixed. Vulnerability Details CVEID: CVE-2016-7099 DESCRIPTION: Node.js could allow a remote attacker to bypass security...

Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM API Management (CVE-2016-2177, CVE-2016-2178, CVE-2016-2180)

Summary OpenSSL vulnerabilities disclosed on August and September 2016 by the OpenSSL Project. OpenSSL is used by IBM API Management. IBM API Management has addressed the applicable CVEs. Vulnerability Details CVEID: CVE-2016-2177 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused ...

Security Bulletin: Vulnerabilities in IBM Java SDK affect IBM API Connect (CVE-2016-5597)

Summary There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 7.0 that is used by IBM API Connect. These issues were disclosed as part of the IBM Java SDK updates in October 2016. Vulnerability Details Relevant CVE Information: CVEID: CVE-2016-5597 DESCRIPTION: An...

Security Bulletin: Multiple vulnerabilities affecting web servers that run code in a CGI or CGI-like context affects IBM API Connect (CVE-2016-5385, CVE-2016-1000105)

Summary IBM API Connect is affected by multiple vulnerabilities relating to web servers that run code in a CGI or CGI-like context CVE-2016-5385, CVE-2016-1000105. IBM has addressed these vulnerabilities. Vulnerability Details CVEID: CVE-2016-5385 DESCRIPTION: PHP could allow a remote attacker to...

Security Bulletin: IBM API Connect server credentials used for a specific restricted scenario may have been exposed (CVE-2016-3012)

Summary IBM API Connect server credentials used for a specific restricted scenario that is internal and do not involve authentication may have been exposed and packaged in the toolkit. Vulnerability Details CVEID: CVE-2016-3012 DESCRIPTION: IBM API Connect server credentials used for an internal...

Security Bulletin: Multiple vulnerabilities in NPM affects IBM API Connect (CVE-2016-3956, CVE-2016-2537, CVE-2016-2515)

Summary IBM API Connect is affected by two ReDoS vulnerabilities in modules included in the Node.js npm tool CVE-2016-2537, CVE-2016-2515 and Node.js Package Manager npm Bearer Token Vulnerability CVE-2016-3956. These vulnerabilities are now fixed. Vulnerability Details CVEID: CVE-2016-2515...

IBM API Connect Information Disclosure Vulnerability (CNVD-2018-10950)

IBM API Connect aka APIConnect is an integrated solution for managing the API lifecycle from IBM USA. The solution supports creating, running, managing and securing APIs, microservices and more. A security vulnerability exists in IBM API Connect versions 5.0.0.0 through 5.0.8.2, which stems from...

CVE-2018-1532

IBM API Connect 5.0.0.0 through 5.0.8.2 does not properly update the SESSIONID with each request, which could allow a user to obtain the ID in further attacks against the system. IBM X-Force ID: 142430...

CVE-2018-1532

IBM API Connect 5.0.0.0 through 5.0.8.2 does not properly update the SESSIONID with each request, which could allow a user to obtain the ID in further attacks against the system. IBM X-Force ID: 142430...

Cross site request forgery (csrf)

IBM API Connect 5.0.0.0 through 5.0.8.2 does not properly update the SESSIONID with each request, which could allow a user to obtain the ID in further attacks against the system. IBM X-Force ID: 142430...

CVE-2018-1532

IBM API Connect versions 5.0.0.0–5.0.8.2 do not properly update the SESSIONID with each request, enabling an attacker to obtain the session ID and leverage it in further attacks. The vulnerability affects IBM API Connect (Management Server) and is documented with CVE-2018-1532. IBM’s security bul...

CVE-2018-1532

IBM API Connect 5.0.0.0 through 5.0.8.2 does not properly update the SESSIONID with each request, which could allow a user to obtain the ID in further attacks against the system. IBM X-Force ID: 142430...

CVE-2018-1468

IBM API Connect 5.0.8.1 and 5.0.8.2 could allow a user to get access to internal environment and sensitive API details to which they are not authorized. IBM X-Force ID: 140399...

Code injection

IBM API Connect 5.0.8.1 and 5.0.8.2 could allow a user to get access to internal environment and sensitive API details to which they are not authorized. IBM X-Force ID: 140399...

CVE-2018-1468

CVE-2018-1468 affects IBM API Connect 5.0.8.1–5.0.8.2, enabling a user to access internal environments and sensitive API details to which they are not authorized. The vulnerability is an information-disclosure issue with CVSSv3 base score 4.3 (vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)...

CVE-2018-1468

IBM API Connect 5.0.8.1 and 5.0.8.2 could allow a user to get access to internal environment and sensitive API details to which they are not authorized. IBM X-Force ID: 140399...

IBM API Connect Cross-Site Scripting Vulnerability (CNVD-2018-08943)

IBM API Connect aka APIConnect is an integrated solution for managing the API lifecycle from IBM USA. The solution supports creating, running, managing and securing APIs, microservices and more. A cross-site scripting vulnerability exists in IBM API Connect versions 5.0.0.0 through 5.0.6.5, 5.0.7...