cnvd - cnvd-2023-09609

cnvd-2023-09609

Vulnerability from cnvd

Title: IBM API Connect存在未明漏洞（CNVD-2023-09609）

Description:

IBM API Connect（APIConnect）是美国国际商业机器（IBM）公司的一套用于管理API生命周期的集成解决方案。该产品支持创建、运行、管理和保护API和微服务等。

IBM API Connect存在安全漏洞，该漏洞源于对用户提供的输入验证不当。目前没有详细的漏洞细节提供。

Severity: 中

Patch Name: IBM API Connect存在未明漏洞（CNVD-2023-09609）的补丁

Patch Description:

IBM API Connect存在安全漏洞，该漏洞源于对用户提供的输入验证不当。目前没有详细的漏洞细节提供。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

厂商已发布漏洞修复程序，请及时关注更新： https://www.ibm.com/support/pages/node/6921243

Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-34350

Impacted products

Name
['IBM API Connect >=10.0.0.0，<=10.0.5.0', 'IBM API Connect >=10.0.1.0，<=10.0.1.7', 'IBM API Connect >=2018.4.1.0，<=2018.4.1.20']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-34350"
    }
  },
  "description": "IBM API Connect\uff08APIConnect\uff09\u662f\u7f8e\u56fd\u56fd\u9645\u5546\u4e1a\u673a\u5668\uff08IBM\uff09\u516c\u53f8\u7684\u4e00\u5957\u7528\u4e8e\u7ba1\u7406API\u751f\u547d\u5468\u671f\u7684\u96c6\u6210\u89e3\u51b3\u65b9\u6848\u3002\u8be5\u4ea7\u54c1\u652f\u6301\u521b\u5efa\u3001\u8fd0\u884c\u3001\u7ba1\u7406\u548c\u4fdd\u62a4API\u548c\u5fae\u670d\u52a1\u7b49\u3002\n\nIBM API Connect\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5bf9\u7528\u6237\u63d0\u4f9b\u7684\u8f93\u5165\u9a8c\u8bc1\u4e0d\u5f53\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.ibm.com/support/pages/node/6921243",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2023-09609",
  "openTime": "2023-02-17",
  "patchDescription": "IBM API Connect\uff08APIConnect\uff09\u662f\u7f8e\u56fd\u56fd\u9645\u5546\u4e1a\u673a\u5668\uff08IBM\uff09\u516c\u53f8\u7684\u4e00\u5957\u7528\u4e8e\u7ba1\u7406API\u751f\u547d\u5468\u671f\u7684\u96c6\u6210\u89e3\u51b3\u65b9\u6848\u3002\u8be5\u4ea7\u54c1\u652f\u6301\u521b\u5efa\u3001\u8fd0\u884c\u3001\u7ba1\u7406\u548c\u4fdd\u62a4API\u548c\u5fae\u670d\u52a1\u7b49\u3002\r\n\r\nIBM API Connect\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5bf9\u7528\u6237\u63d0\u4f9b\u7684\u8f93\u5165\u9a8c\u8bc1\u4e0d\u5f53\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "IBM API Connect\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\uff08CNVD-2023-09609\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "IBM API Connect \u003e=10.0.0.0\uff0c\u003c=10.0.5.0",
      "IBM API Connect \u003e=10.0.1.0\uff0c\u003c=10.0.1.7",
      "IBM API Connect \u003e=2018.4.1.0\uff0c\u003c=2018.4.1.20"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2022-34350",
  "serverity": "\u4e2d",
  "submitTime": "2023-02-09",
  "title": "IBM API Connect\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\uff08CNVD-2023-09609\uff09"
}

CVE-2022-34350 (GCVE-0-2022-34350)

Vulnerability from cvelistv5

Published

2023-02-08 19:12

Modified

2025-03-25 13:50

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE

CWE 435 Improper Interaction Between Multiple Correctly-Behaving Entities

Summary

IBM API Connect 10.0.0.0 through 10.0.5.0, 10.0.1.0 through 10.0.1.7, and 2018.4.1.0 through 2018.4.1.20 is vulnerable to External Service Interaction attack, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to induce the application to perform server-side DNS lookups or HTTP requests to arbitrary domain names. By submitting suitable payloads, an attacker can cause the application server to attack other systems that it can interact with. IBM X-Force ID: 230264.

References

▼	URL	Tags
	https://www.ibm.com/support/pages/node/6921243	vendor-advisory
	https://exchange.xforce.ibmcloud.com/vulnerabilities/230264	vdb-entry

Impacted products

	Vendor	Product	Version
	IBM	API Connect	Version: 10.0.0.0 ≤ Version: 10.0.1.0 ≤ Version: 2018.4.1.0 ≤

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T09:07:16.135Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.ibm.com/support/pages/node/6921243"
          },
          {
            "tags": [
              "vdb-entry",
              "x_transferred"
            ],
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/230264"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-34350",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-25T13:50:00.508922Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-25T13:50:09.275Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "API Connect",
          "vendor": "IBM",
          "versions": [
            {
              "lessThan": "10.0.5.0",
              "status": "affected",
              "version": "10.0.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "10.0.1.7",
              "status": "affected",
              "version": "10.0.1.0",
              "versionType": "semver"
            },
            {
              "lessThan": "2018.4.1.20",
              "status": "affected",
              "version": "2018.4.1.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "IBM API Connect 10.0.0.0 through 10.0.5.0, 10.0.1.0 through 10.0.1.7, and 2018.4.1.0 through 2018.4.1.20 is vulnerable to External Service Interaction attack, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to induce the application to perform server-side DNS lookups or HTTP requests to arbitrary domain names. By submitting suitable payloads, an attacker can cause the application server to attack other systems that it can interact with.  IBM X-Force ID:  230264."
            }
          ],
          "value": "IBM API Connect 10.0.0.0 through 10.0.5.0, 10.0.1.0 through 10.0.1.7, and 2018.4.1.0 through 2018.4.1.20 is vulnerable to External Service Interaction attack, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to induce the application to perform server-side DNS lookups or HTTP requests to arbitrary domain names. By submitting suitable payloads, an attacker can cause the application server to attack other systems that it can interact with.  IBM X-Force ID:  230264."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE 435 Improper Interaction Between Multiple Correctly-Behaving Entities",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-02-08T19:12:31.221Z",
        "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "shortName": "ibm"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.ibm.com/support/pages/node/6921243"
        },
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/230264"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "IBM API Connect security bypass",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
    "assignerShortName": "ibm",
    "cveId": "CVE-2022-34350",
    "datePublished": "2023-02-08T19:12:31.221Z",
    "dateReserved": "2022-06-23T13:42:39.338Z",
    "dateUpdated": "2025-03-25T13:50:09.275Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted