IBM API Connect has addressed the following vulnerability.
CVEID:CVE-2020-7061
**DESCRIPTION:**PHP could allow a remote attacker to obtain sensitive information, caused by an error while extracting PHAR files on Windows using phar extension. An attacker could exploit this vulnerability to trigger a one-byte read past the allocated buffer to obtain sensitive information or cause the application to crash.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/177008 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)
CVEID:CVE-2020-7062
**DESCRIPTION:**PHP is vulnerable to a denial of service, caused by a NULL pointer dereference in PHP session upload progress. By using file upload functionality, an attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/177007 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2020-7063
**DESCRIPTION:**PHP could allow a remote attacker to obtain sensitive information. The files are added with 0666 default permissions when creating PHAR archive using PharData::buildFromIterator() function. This results in files having more lax permissions than intended. An attacker could exploit this vulnerability to gain access to the system.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/177006 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
Affected Product(s) | Version(s) |
---|---|
API Connect | IBM API Connect V5.0.0.0-5.0.8.7 |
API Connect | V2018.4.1.0-V2018.4.1.10 |
Affected Product | Addressed in VRMF | APAR | Remediation/First Fix |
---|
IBM API Connect
V5.0.0.0-5.0.8.7
| 5.0.8.8
| LI81500| Addressed in IBM API Connect V5.0.8.8.
Developer Portal is impacted.
Follow this link and find the “Portal” package:
http://www.ibm.com/support/fixcentral/swg/quickorder
IBM API Connect
V2018.4.1.0-2018.4.1.10
| 2018.4.1.11|
LI81500
|
Addressed in IBM API Connect V2018.4.1.11.
Developer Portal server is impacted.
Follow this link and find the “Portal” package appropriate for your installation.
http://www.ibm.com/support/fixcentral/swg/quickorder
None