CVE-2018-1778
Last modified
CVE-2018-1778 is a vulnerability of currently unknown severity. IBM LoopBack (IBM API Connect 2018.1, 2018.4.1, 5.0.8.0, and 5.0.8.4) could allow an attacker to bypass authentication if the AccessToken Model is exposed over a REST API, it is then possible for anyone to create an AccessToken for any User provided they know the userId and can hence get access to the other user’s data / access to their privileges (if the user happens to be an Admin for example). IBM X-Force ID: 148801.. EPSS estimates a 3.45% chance of exploitation in the next 30 days.
Description
IBM LoopBack (IBM API Connect 2018.1, 2018.4.1, 5.0.8.0, and 5.0.8.4) could allow an attacker to bypass authentication if the AccessToken Model is exposed over a REST API, it is then possible for anyone to create an AccessToken for any User provided they know the userId and can hence get access to the other user’s data / access to their privileges (if the user happens to be an Admin for example). IBM X-Force ID: 148801.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Ibm | Api Connect | >= 5.0.8.0, <= 5.0.8.4 |
| Ibm | Api Connect | >= 2018.1.0, <= 2018.4.1.0 |
References
- http://www.ibm.com/support/docview.wss?uid=ibm10733883Patch, Vendor Advisory
- http://www.securityfocus.com/bid/106313Third Party Advisory, VDB Entry
- https://exchange.xforce.ibmcloud.com/vulnerabilities/148801VDB Entry, Vendor Advisory
- http://www.ibm.com/support/docview.wss?uid=ibm10733883Patch, Vendor Advisory
- http://www.securityfocus.com/bid/106313Third Party Advisory, VDB Entry
- https://exchange.xforce.ibmcloud.com/vulnerabilities/148801VDB Entry, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2018-1778?
How severe is CVE-2018-1778?
How do I fix CVE-2018-1778?
Are you affected by CVE-2018-1778?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST