IBM API Connect has addressed the following vulnerabilities.
CVEID: CVE-2017-0268 DESCRIPTION: Microsoft Server Message Block 1.0 (SMBv1) could allow a remote attacker to obtain sensitive information, caused by improper handling of incoming requests. By sending specially-crafted packet data to the server, a remote attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/125554> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2018-0210 DESCRIPTION: Cisco Data Center Network Manager is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input by the web-based management interface. By persuading an user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to perform unauthorized actions. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139992> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID: CVE-2018-0021 DESCRIPTION: Juniper Networks Junos OS is vulnerable to a man-in-the-middle attack, caused by an error when configured with short MacSec keys. By using brute-force techniques, a remote attacker from within the local network could exploit this vulnerability to obtain the secret passphrases configured for these keys.
CVSS Base Score: 8.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/141516> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID: CVE-2016-10531 DESCRIPTION: Node.js marked module is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the link components. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victimââs Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victimâ's cookie-based authentication credentials.
CVSS Base Score: 6.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/149101> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVEID: CVE-2018-11698 DESCRIPTION: LibSaas could allow a remote attacker to obtain sensitive information, caused by an out-of-bounds read of a memory region in the function Sass::handle_error. By using a specially-crafted file, a remote attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service.
CVSS Base Score: 4.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144297> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L)
CVEID: CVE-2018-11499 DESCRIPTION: LibSass is vulnerable to a denial of service, caused by a use-after-free in handle_error() in sass_context.cpp. A remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/143880> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2018-11693 DESCRIPTION: LibSaas could allow a remote attacker to obtain sensitive information, caused by an out-of-bounds read of a memory region in the function Sass::Prelexer::skip_over_scopes. By using a specially-crafted file, a remote attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service.
CVSS Base Score: 4.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144323> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L)
CVEID: CVE-2018-11697 DESCRIPTION: LibSaas could allow a remote attacker to obtain sensitive information, caused by an out-of-bounds read of a memory region in the function Sass::Prelexer::exactly(). By using a specially-crafted file, a remote attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service.
CVSS Base Score: 4.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144302> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L)
CVEID: CVE-2018-11696 DESCRIPTION: LibSaas is vulnerable to a denial of service, caused by a NULL pointer dereference in the function Sass::Inspect::operator. By using a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 3.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144308> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
CVEID: CVE-2018-11694 DESCRIPTION: LibSaas is vulnerable to a denial of service, caused by a NULL pointer dereference in the function Sass::Functions::selector_append. By using a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 3.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144317> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
CVEID: CVE-2018-11695 DESCRIPTION: LibSaas is vulnerable to a denial of service, caused by a NULL pointer dereference in the function Sass::Expand::operator. By using a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 3.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144311> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
IBM API Connect version 5.0.8.0-5.0.8.4;2018.1-2018.4.1.2
Affected Product | Addressed in VRMF | APAR | Remediation/First Fix |
---|---|---|---|
IBM API Connect 5.0.8.0-5.0.8.4 | 5.0.8.5 | LI80724 |
Addressed in IBM API Connect V5.0.8.5 fix pack.
Follow this link and find the APIConnect-Portal package.
IBM API Connect V2018.1 - 2018.4.1.2
|
2018.4.1.3 fixpack
| LI80724 | |
Addressed in IBM API Connect v2018.4.1.3 fixpack.
Management server and Analytics components are impacted.
Follow this link and find the appropriate form factor for your installation: âmanagementâ , âanalyticsâ or apicup* or ICP for 2018.4.1.3.
[http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~WebSphere&product=ibm/WebSphere/IBM+API+Connect&release=2018.4.1.2&platform=All&function=all&source=fc](< http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~WebSphere&product=ibm/WebSphere/IBM+API+Connect&release=2018.4.1.2&platform=All&function=all&source=fc>)
None
CPE | Name | Operator | Version |
---|---|---|---|
ibm api connect | eq | 5.0.8.0 | |
ibm api connect | eq | 5.0.8.4 | |
ibm api connect | eq | 2018.1 | |
ibm api connect | eq | 2018.4.1.2 |