CVE-2020-4640

Certain IBM API Connect 10.0.0.0 through 10.0.1.0 and 2018.4.1.0 through 2018.4.1.13 configurations can result in sensitive information in the URL fragment identifiers. This information can be cached in the intermediate nodes like proxy servers, cdn, logging platforms, etc. An attacker can make use of this information to perform attacks by impersonating a user. IBM X-Force ID: 185510.

CVSS v3 4.1 MEDIUM
CVSS v2.0 3.8 LOW

4.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.5 / Impact : 2.5

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

3.8^/10

CVSS v2.0 : LOW

Vector : AV:A/AC:M/Au:S/C:P/I:P/A:N

Exploitability : 4.4 / Impact : 4.9

Access Vector ADJACENT_NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://exchange.xforce.ibmcloud.com/vulnerabilities/185510	VDB Entry Vendor Advisory
https://www.ibm.com/support/pages/node/6410486	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:ibm:api_connect::::::::
	cpe:2.3:a:ibm:api_connect:10.0.0.0:::::::*
	cpe:2.3:a:ibm:api_connect:10.0.1.0:::::::*

History

No history.

Information

Published : 2021-02-04 17:15

Updated : 2024-02-04 21:23

NVD link : CVE-2020-4640

Mitre link : CVE-2020-4640

CVE.ORG link : CVE-2020-4640

JSON object : View

Products Affected

ibm

api_connect

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2020-4640", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.8, "accessVector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:M/Au:S/C:P/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 4.4, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Secondary", "source": "psirt@us.ibm.com", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 3.4, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:A/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 0.9}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.1, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 1.5}]}, "published": "2021-02-04T17:15:13.623", "references": [{"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/185510", "tags": ["VDB Entry", "Vendor Advisory"], "source": "psirt@us.ibm.com"}, {"url": "https://www.ibm.com/support/pages/node/6410486", "tags": ["Vendor Advisory"], "source": "psirt@us.ibm.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "Certain IBM API Connect 10.0.0.0 through 10.0.1.0 and 2018.4.1.0 through 2018.4.1.13 configurations can result in sensitive information in the URL fragment identifiers. This information can be cached in the intermediate nodes like proxy servers, cdn, logging platforms, etc. An attacker can make use of this information to perform attacks by impersonating a user. IBM X-Force ID: 185510."}, {"lang": "es", "value": "Determinadas configuraciones de IBM API Connect versiones 10.0.0.0 hasta 10.0.1.0 y versiones 2018.4.1.0 hasta 2018.4.1.13, pueden resultar en informaci\u00f3n confidencial en los identificadores de fragmentos de URL. Esta informaci\u00f3n puede ser almacenada en cach\u00e9 en los nodos intermedios como servidores proxy, cdn, plataformas de registro, etc. Un atacante puede hacer uso de esta informaci\u00f3n para realizar ataques haci\u00e9ndose pasar por un usuario. IBM X-Force ID: 185510"}], "lastModified": "2021-02-04T22:11:32.223", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ibm:api_connect:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "403B95C9-40E9-4F9D-AE7D-5B3BC2ECE8A5", "versionEndIncluding": "2018.4.1.13", "versionStartIncluding": "2018.4.1.0"}, {"criteria": "cpe:2.3:a:ibm:api_connect:10.0.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AF48BB29-806D-4613-A1D8-77462461245E"}, {"criteria": "cpe:2.3:a:ibm:api_connect:10.0.1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "594C5FF7-61BC-409D-A77D-5BDC53CEFE09"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@us.ibm.com"}