IBM API Connect has addressed the following vulnerability.
API Connect user are affected by a TwoFactor (2FA/TFA) bypass while resetting password.
Using API Connect version 5.0.8.3 and with Two Factor Authentication enabled on the Developer Portal it is possible to bypass TFA and get full access.
Vulnerability Details
CVEID:CVE-2018-1638
**DESCRIPTION:*IBM API Connect Developer Portal does not enforce Two Factor Authentication(TFA) while resetting a user password but enforces it for all other login scenarios.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144483> for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N)
Affected API Connect | Affected Versions |
---|---|
API Connect | 5.0.0.0-5.0.8.3 |
Product | VRMF | APAR | Remediation / First Fix |
---|---|---|---|
API Connect | 5.0.8.3 | LI80134 |
Addressed in IBM API Connect iFix 5.0.8.3-APIConnect-Portal-Ubuntu16-20180524-1117 for V5.0.8.3.
Developer Portal is impacted.
Follow this link and find the fix ID 5.0.8.3-APIConnect-Portal-Ubuntu16-20180524-1117
Select Option 2 for 5.0.8.3-APIConnect-Portal-Ubuntu16-20180524-1117
None