Vulnerability CVE-2019-4203


Published: 2019-04-15

Description:
IBM API Connect 5.0.0.0 and 5.0.8.6 Developer Portal can be exploited by app developers to download arbitrary files from the host OS and potentially carry out SSRF attacks. IBM X-Force ID: 159124.

Type:

CWE-284

(Improper Access Control)

Vendor: IBM
Product: Api connect 
Version:
5.0.8.6
5.0.8.5
5.0.8.4
5.0.8.3
5.0.8.2
5.0.8.1
5.0.8.0
5.0.7.2
5.0.7.1
5.0.7.0
5.0.6.6
5.0.6.5
5.0.6.4
5.0.6.3
5.0.6.2
5.0.6.1
5.0.6.0
5.0.5.0
5.0.4.0
5.0.3.0
5.0.2.0
5.0.1.0
5.0.0.1
5.0.0.0

CVSS2 => (AV:N/AC:L/Au:N/C:C/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
9/10
8.5/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Partial
Partial

 References:
http://www.securityfocus.com/bid/107905
https://exchange.xforce.ibmcloud.com/vulnerabilities/159124
https://www.ibm.com/support/docview.wss?uid=ibm10880569

Related CVE
CVE-2019-4482
IBM Emptoris Spend Analysis 10.1.0 through 10.1.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disc...
CVE-2019-4437
IBM API Connect 2018.1 through 2018.4.1.6 may inadvertently leak sensitive details about internal servers and network via API swagger. IBM X-force ID: 162947.
CVE-2019-4338
IBM Security Guardium Big Data Intelligence 4.0 (SonarG) does not properly restrict the size or amount of resources that are requested or influenced by an actor. This weakness can be used to consume more resources than intended. IBM X-Force ID: 16141...
CVE-2019-4167
IBM StoredIQ 7.6.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 158700.
CVE-2019-4120
IBM Cloud Private 3.1.1 and 3.1.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a ...
CVE-2019-4484
IBM Emptoris Sourcing 10.1.0 through 10.1.3, IBM Contract Management 10.1.0 through 10.1.3, and IBM Emptoris Spend Analysis 10.1.0 through 10.1.3 generates an error message that includes sensitive information that could be used in further attacks aga...
CVE-2019-4483
IBM Contract Management 10.1.0 through 10.1.3 and IBM Emptoris Spend Analysis 10.1.0 through 10.1.3 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or ...
CVE-2019-4481
IBM Contract Management 10.1.0 through 10.1.3 and IBM Emptoris Spend Analysis 10.1.0 through 10.1.3 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or ...

Copyright 2019, cxsecurity.com

 

Back to Top