cvelistv5 - cve-2017-1555

CVE-2017-1555 (GCVE-0-2017-1555)

Vulnerability from cvelistv5

Published

2017-09-25 16:00

Modified

2024-09-16 22:01

Severity ?

CWE

Bypass Security

Summary

IBM API Connect 5.0.0.0 through 5.0.7.2 could allow an authenticated user to generate an API token when not subscribed to the application plan. IBM X-Force ID: 131545.

References

URL

Tags

psirt@us.ibm.com	http://www.ibm.com/support/docview.wss?uid=swg22008588	Patch, Vendor Advisory
psirt@us.ibm.com	http://www.securityfocus.com/bid/100973	Third Party Advisory, VDB Entry
psirt@us.ibm.com	https://exchange.xforce.ibmcloud.com/vulnerabilities/131545	VDB Entry, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.ibm.com/support/docview.wss?uid=swg22008588	Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/100973	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	https://exchange.xforce.ibmcloud.com/vulnerabilities/131545	VDB Entry, Vendor Advisory

Impacted products

	Vendor	Product	Version
	IBM	API Connect	Version: 5.0.1.0 Version: 5.0.0.0 Version: 5.0.0.1 Version: 5.0.2.0 Version: 5.0.5.0 Version: 5.0.6.0 Version: 5.0.6.1 Version: 5.0.6.2 Version: 5.0.7.0 Version: 5.0.7.1 Version: 5.0.3.0 Version: 5.0.4.0 Version: 5.0 Version: 5.0.7.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T13:39:31.640Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/131545"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.ibm.com/support/docview.wss?uid=swg22008588"
          },
          {
            "name": "100973",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/100973"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "API Connect",
          "vendor": "IBM",
          "versions": [
            {
              "status": "affected",
              "version": "5.0.1.0"
            },
            {
              "status": "affected",
              "version": "5.0.0.0"
            },
            {
              "status": "affected",
              "version": "5.0.0.1"
            },
            {
              "status": "affected",
              "version": "5.0.2.0"
            },
            {
              "status": "affected",
              "version": "5.0.5.0"
            },
            {
              "status": "affected",
              "version": "5.0.6.0"
            },
            {
              "status": "affected",
              "version": "5.0.6.1"
            },
            {
              "status": "affected",
              "version": "5.0.6.2"
            },
            {
              "status": "affected",
              "version": "5.0.7.0"
            },
            {
              "status": "affected",
              "version": "5.0.7.1"
            },
            {
              "status": "affected",
              "version": "5.0.3.0"
            },
            {
              "status": "affected",
              "version": "5.0.4.0"
            },
            {
              "status": "affected",
              "version": "5.0"
            },
            {
              "status": "affected",
              "version": "5.0.7.2"
            }
          ]
        }
      ],
      "datePublic": "2017-09-21T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "IBM API Connect 5.0.0.0 through 5.0.7.2 could allow an authenticated user to generate an API token when not subscribed to the application plan. IBM X-Force ID: 131545."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Bypass Security",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-09-26T09:57:01",
        "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "shortName": "ibm"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/131545"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.ibm.com/support/docview.wss?uid=swg22008588"
        },
        {
          "name": "100973",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/100973"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@us.ibm.com",
          "DATE_PUBLIC": "2017-09-21T00:00:00",
          "ID": "CVE-2017-1555",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "API Connect",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "5.0.1.0"
                          },
                          {
                            "version_value": "5.0.0.0"
                          },
                          {
                            "version_value": "5.0.0.1"
                          },
                          {
                            "version_value": "5.0.2.0"
                          },
                          {
                            "version_value": "5.0.5.0"
                          },
                          {
                            "version_value": "5.0.6.0"
                          },
                          {
                            "version_value": "5.0.6.1"
                          },
                          {
                            "version_value": "5.0.6.2"
                          },
                          {
                            "version_value": "5.0.7.0"
                          },
                          {
                            "version_value": "5.0.7.1"
                          },
                          {
                            "version_value": "5.0.3.0"
                          },
                          {
                            "version_value": "5.0.4.0"
                          },
                          {
                            "version_value": "5.0"
                          },
                          {
                            "version_value": "5.0.7.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "IBM"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "IBM API Connect 5.0.0.0 through 5.0.7.2 could allow an authenticated user to generate an API token when not subscribed to the application plan. IBM X-Force ID: 131545."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Bypass Security"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://exchange.xforce.ibmcloud.com/vulnerabilities/131545",
              "refsource": "MISC",
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/131545"
            },
            {
              "name": "http://www.ibm.com/support/docview.wss?uid=swg22008588",
              "refsource": "CONFIRM",
              "url": "http://www.ibm.com/support/docview.wss?uid=swg22008588"
            },
            {
              "name": "100973",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/100973"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
    "assignerShortName": "ibm",
    "cveId": "CVE-2017-1555",
    "datePublished": "2017-09-25T16:00:00Z",
    "dateReserved": "2016-11-30T00:00:00",
    "dateUpdated": "2024-09-16T22:01:43.970Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2017-1555\",\"sourceIdentifier\":\"psirt@us.ibm.com\",\"published\":\"2017-09-25T16:29:00.443\",\"lastModified\":\"2025-04-20T01:37:25.860\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"IBM API Connect 5.0.0.0 through 5.0.7.2 could allow an authenticated user to generate an API token when not subscribed to the application plan. IBM X-Force ID: 131545.\"},{\"lang\":\"es\",\"value\":\"IBM API Connect desde la versi\u00f3n 5.0.0.0 hasta la 5.0.7.2 podr\u00eda permitir que un usuario autenticado genere un token API cuando no est\u00e1 suscrito al plan de aplicaci\u00f3n. IBM X-Force ID: 131545.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:N/I:P/A:N\",\"baseScore\":4.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:api_connect:5.0.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6B43F8D4-A60E-4C56-B868-8616958A0B74\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:api_connect:5.0.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"39A4F3B4-A3D8-4281-BBB1-8B95297657F1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:api_connect:5.0.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4049722A-338F-49FA-A9B2-2A432F04D2A8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:api_connect:5.0.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4C12F86C-FBDF-4231-B4EA-4279FC730088\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:api_connect:5.0.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1BBC9AEC-CD8B-4F2A-99A7-469B93107B9F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:api_connect:5.0.4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BBB03CE4-C3EE-41E9-9321-9AB9829FDB5D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:api_connect:5.0.5.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C7B9AC88-C53D-4810-B21E-7A836524859B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:api_connect:5.0.6.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8D8AD67C-0221-4EF1-B0A2-C13CEE62D27F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:api_connect:5.0.6.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"61864755-C7B6-416C-9D3E-334AB3D94825\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:api_connect:5.0.6.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7FCB9030-50A4-4B9B-8457-9DB9E13B3211\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:api_connect:5.0.6.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4E2679C4-FF15-4FB5-A6D6-11229AB5EFF5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:api_connect:5.0.6.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E7BB28DE-AF37-4444-8BA5-9928072C2F6C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:api_connect:5.0.7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"336EC55F-E19B-4D26-8AEA-40DC40F6C0A9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:api_connect:5.0.7.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FBB6EF04-A24E-4857-8C7A-DE779AFA8B70\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:api_connect:5.0.7.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6C6AFDC6-3596-4640-8E92-984B308A1C75\"}]}]}],\"references\":[{\"url\":\"http://www.ibm.com/support/docview.wss?uid=swg22008588\",\"source\":\"psirt@us.ibm.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/100973\",\"source\":\"psirt@us.ibm.com\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/131545\",\"source\":\"psirt@us.ibm.com\",\"tags\":[\"VDB Entry\",\"Vendor Advisory\"]},{\"url\":\"http://www.ibm.com/support/docview.wss?uid=swg22008588\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/100973\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/131545\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"VDB Entry\",\"Vendor Advisory\"]}]}}"
  }
}

ghsa-6qpg-q62m-qghr

Vulnerability from github

Published

2022-05-17 00:35

Modified

2022-05-17 00:35

Severity ?

4.3 (Medium) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Details

IBM API Connect 5.0.0.0 through 5.0.7.2 could allow an authenticated user to generate an API token when not subscribed to the application plan. IBM X-Force ID: 131545.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2017-1555"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-09-25T16:29:00Z",
    "severity": "MODERATE"
  },
  "details": "IBM API Connect 5.0.0.0 through 5.0.7.2 could allow an authenticated user to generate an API token when not subscribed to the application plan. IBM X-Force ID: 131545.",
  "id": "GHSA-6qpg-q62m-qghr",
  "modified": "2022-05-17T00:35:41Z",
  "published": "2022-05-17T00:35:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1555"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/131545"
    },
    {
      "type": "WEB",
      "url": "http://www.ibm.com/support/docview.wss?uid=swg22008588"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/100973"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

cnvd-2017-34977

Vulnerability from cnvd

Title

IBM API Connect安全绕过漏洞

Description

IBM API Connect（又名APIConnect）是美国IBM公司的一套用于管理API生命周期的集成解决方案。该方案支持创建、运行、管理和保护API和微服务等。 IBM API Connect存在安全漏洞。攻击者可利用该漏洞创建API令牌。

Severity

中

Patch Name

IBM API Connect安全绕过漏洞的补丁

Patch Description

IBM API Connect（又名APIConnect）是美国IBM公司的一套用于管理API生命周期的集成解决方案。该方案支持创建、运行、管理和保护API和微服务等。 IBM API Connect存在安全漏洞。攻击者可利用该漏洞创建API令牌。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： http://www-01.ibm.com/support/docview.wss?uid=swg22008588

Reference

https://nvd.nist.gov/vuln/detail/CVE-2017-1555 http://www.securityfocus.com/bid/100973

Impacted products

Name
['IBM API Connect 5.0.2.0', 'IBM API Connect 5.0.7.0', 'IBM API Connect 5.0.7.2', 'IBM API Connect 5.0.7.1', 'IBM API Connect 5.0.0.0', 'IBM API Connect 5.0.0.1', 'IBM API Connect 5.0.3.0', 'IBM API Connect 5.0.6.0', 'IBM API Connect 5.0.6.2', 'IBM API Connect 5.0.6.3']

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "100973"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-1555"
    }
  },
  "description": "IBM API Connect\uff08\u53c8\u540dAPIConnect\uff09\u662f\u7f8e\u56fdIBM\u516c\u53f8\u7684\u4e00\u5957\u7528\u4e8e\u7ba1\u7406API\u751f\u547d\u5468\u671f\u7684\u96c6\u6210\u89e3\u51b3\u65b9\u6848\u3002\u8be5\u65b9\u6848\u652f\u6301\u521b\u5efa\u3001\u8fd0\u884c\u3001\u7ba1\u7406\u548c\u4fdd\u62a4API\u548c\u5fae\u670d\u52a1\u7b49\u3002\r\n\r\nIBM API Connect\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u521b\u5efaAPI\u4ee4\u724c\u3002",
  "discovererName": "IBM",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttp://www-01.ibm.com/support/docview.wss?uid=swg22008588",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-34977",
  "openTime": "2017-11-23",
  "patchDescription": "IBM API Connect\uff08\u53c8\u540dAPIConnect\uff09\u662f\u7f8e\u56fdIBM\u516c\u53f8\u7684\u4e00\u5957\u7528\u4e8e\u7ba1\u7406API\u751f\u547d\u5468\u671f\u7684\u96c6\u6210\u89e3\u51b3\u65b9\u6848\u3002\u8be5\u65b9\u6848\u652f\u6301\u521b\u5efa\u3001\u8fd0\u884c\u3001\u7ba1\u7406\u548c\u4fdd\u62a4API\u548c\u5fae\u670d\u52a1\u7b49\u3002\r\n\r\nIBM API Connect\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u521b\u5efaAPI\u4ee4\u724c\u3002\r\n\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "IBM API Connect\u5b89\u5168\u7ed5\u8fc7\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "IBM API Connect 5.0.2.0",
      "IBM API Connect 5.0.7.0",
      "IBM API Connect 5.0.7.2",
      "IBM API Connect 5.0.7.1",
      "IBM API Connect 5.0.0.0",
      "IBM API Connect 5.0.0.1",
      "IBM API Connect 5.0.3.0",
      "IBM API Connect 5.0.6.0",
      "IBM API Connect 5.0.6.2",
      "IBM API Connect 5.0.6.3"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2017-1555\r\nhttp://www.securityfocus.com/bid/100973",
  "serverity": "\u4e2d",
  "submitTime": "2017-09-26",
  "title": "IBM API Connect\u5b89\u5168\u7ed5\u8fc7\u6f0f\u6d1e"
}

gsd-2017-1555

Vulnerability from gsd

Modified

2023-12-13 01:21

Details

IBM API Connect 5.0.0.0 through 5.0.7.2 could allow an authenticated user to generate an API token when not subscribed to the application plan. IBM X-Force ID: 131545.

Aliases

CVE-2017-1555

Aliases

CVE-2017-1555

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2017-1555",
    "description": "IBM API Connect 5.0.0.0 through 5.0.7.2 could allow an authenticated user to generate an API token when not subscribed to the application plan. IBM X-Force ID: 131545.",
    "id": "GSD-2017-1555"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2017-1555"
      ],
      "details": "IBM API Connect 5.0.0.0 through 5.0.7.2 could allow an authenticated user to generate an API token when not subscribed to the application plan. IBM X-Force ID: 131545.",
      "id": "GSD-2017-1555",
      "modified": "2023-12-13T01:21:11.578504Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "psirt@us.ibm.com",
        "DATE_PUBLIC": "2017-09-21T00:00:00",
        "ID": "CVE-2017-1555",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "API Connect",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "5.0.1.0"
                        },
                        {
                          "version_value": "5.0.0.0"
                        },
                        {
                          "version_value": "5.0.0.1"
                        },
                        {
                          "version_value": "5.0.2.0"
                        },
                        {
                          "version_value": "5.0.5.0"
                        },
                        {
                          "version_value": "5.0.6.0"
                        },
                        {
                          "version_value": "5.0.6.1"
                        },
                        {
                          "version_value": "5.0.6.2"
                        },
                        {
                          "version_value": "5.0.7.0"
                        },
                        {
                          "version_value": "5.0.7.1"
                        },
                        {
                          "version_value": "5.0.3.0"
                        },
                        {
                          "version_value": "5.0.4.0"
                        },
                        {
                          "version_value": "5.0"
                        },
                        {
                          "version_value": "5.0.7.2"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "IBM"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "IBM API Connect 5.0.0.0 through 5.0.7.2 could allow an authenticated user to generate an API token when not subscribed to the application plan. IBM X-Force ID: 131545."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Bypass Security"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://exchange.xforce.ibmcloud.com/vulnerabilities/131545",
            "refsource": "MISC",
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/131545"
          },
          {
            "name": "http://www.ibm.com/support/docview.wss?uid=swg22008588",
            "refsource": "CONFIRM",
            "url": "http://www.ibm.com/support/docview.wss?uid=swg22008588"
          },
          {
            "name": "100973",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/100973"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:ibm:api_connect:5.0.6.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:ibm:api_connect:5.0.6.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:ibm:api_connect:5.0.6.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:ibm:api_connect:5.0.6.4:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:ibm:api_connect:5.0.4.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:ibm:api_connect:5.0.6.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:ibm:api_connect:5.0.7.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:ibm:api_connect:5.0.7.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:ibm:api_connect:5.0.0.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:ibm:api_connect:5.0.0.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:ibm:api_connect:5.0.1.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:ibm:api_connect:5.0.2.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:ibm:api_connect:5.0.3.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:ibm:api_connect:5.0.5.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:ibm:api_connect:5.0.7.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@us.ibm.com",
          "ID": "CVE-2017-1555"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "IBM API Connect 5.0.0.0 through 5.0.7.2 could allow an authenticated user to generate an API token when not subscribed to the application plan. IBM X-Force ID: 131545."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-20"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://exchange.xforce.ibmcloud.com/vulnerabilities/131545",
              "refsource": "MISC",
              "tags": [
                "VDB Entry",
                "Vendor Advisory"
              ],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/131545"
            },
            {
              "name": "http://www.ibm.com/support/docview.wss?uid=swg22008588",
              "refsource": "CONFIRM",
              "tags": [
                "Patch",
                "Vendor Advisory"
              ],
              "url": "http://www.ibm.com/support/docview.wss?uid=swg22008588"
            },
            {
              "name": "100973",
              "refsource": "BID",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://www.securityfocus.com/bid/100973"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 4.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.0"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 1.4
        }
      },
      "lastModifiedDate": "2017-10-03T16:41Z",
      "publishedDate": "2017-09-25T16:29Z"
    }
  }
}

fkie_cve-2017-1555

Vulnerability from fkie_nvd

Published

2017-09-25 16:29

Modified

2025-04-20 01:37

Severity ?

4.3 (Medium) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Summary

IBM API Connect 5.0.0.0 through 5.0.7.2 could allow an authenticated user to generate an API token when not subscribed to the application plan. IBM X-Force ID: 131545.

References

URL	Tags
psirt@us.ibm.com	http://www.ibm.com/support/docview.wss?uid=swg22008588	Patch, Vendor Advisory
psirt@us.ibm.com	http://www.securityfocus.com/bid/100973	Third Party Advisory, VDB Entry
psirt@us.ibm.com	https://exchange.xforce.ibmcloud.com/vulnerabilities/131545	VDB Entry, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.ibm.com/support/docview.wss?uid=swg22008588	Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/100973	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	https://exchange.xforce.ibmcloud.com/vulnerabilities/131545	VDB Entry, Vendor Advisory

Impacted products

Vendor	Product	Version
ibm	api_connect	5.0.0.0
ibm	api_connect	5.0.0.1
ibm	api_connect	5.0.1.0
ibm	api_connect	5.0.2.0
ibm	api_connect	5.0.3.0
ibm	api_connect	5.0.4.0
ibm	api_connect	5.0.5.0
ibm	api_connect	5.0.6.0
ibm	api_connect	5.0.6.1
ibm	api_connect	5.0.6.2
ibm	api_connect	5.0.6.3
ibm	api_connect	5.0.6.4
ibm	api_connect	5.0.7.0
ibm	api_connect	5.0.7.1
ibm	api_connect	5.0.7.2

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:ibm:api_connect:5.0.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "6B43F8D4-A60E-4C56-B868-8616958A0B74",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:api_connect:5.0.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "39A4F3B4-A3D8-4281-BBB1-8B95297657F1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:api_connect:5.0.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "4049722A-338F-49FA-A9B2-2A432F04D2A8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:api_connect:5.0.2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "4C12F86C-FBDF-4231-B4EA-4279FC730088",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:api_connect:5.0.3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "1BBC9AEC-CD8B-4F2A-99A7-469B93107B9F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:api_connect:5.0.4.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "BBB03CE4-C3EE-41E9-9321-9AB9829FDB5D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:api_connect:5.0.5.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "C7B9AC88-C53D-4810-B21E-7A836524859B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:api_connect:5.0.6.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "8D8AD67C-0221-4EF1-B0A2-C13CEE62D27F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:api_connect:5.0.6.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "61864755-C7B6-416C-9D3E-334AB3D94825",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:api_connect:5.0.6.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "7FCB9030-50A4-4B9B-8457-9DB9E13B3211",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:api_connect:5.0.6.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "4E2679C4-FF15-4FB5-A6D6-11229AB5EFF5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:api_connect:5.0.6.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "E7BB28DE-AF37-4444-8BA5-9928072C2F6C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:api_connect:5.0.7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "336EC55F-E19B-4D26-8AEA-40DC40F6C0A9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:api_connect:5.0.7.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "FBB6EF04-A24E-4857-8C7A-DE779AFA8B70",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:api_connect:5.0.7.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "6C6AFDC6-3596-4640-8E92-984B308A1C75",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "IBM API Connect 5.0.0.0 through 5.0.7.2 could allow an authenticated user to generate an API token when not subscribed to the application plan. IBM X-Force ID: 131545."
    },
    {
      "lang": "es",
      "value": "IBM API Connect desde la versi\u00f3n 5.0.0.0 hasta la 5.0.7.2 podr\u00eda permitir que un usuario autenticado genere un token API cuando no est\u00e1 suscrito al plan de aplicaci\u00f3n. IBM X-Force ID: 131545."
    }
  ],
  "id": "CVE-2017-1555",
  "lastModified": "2025-04-20T01:37:25.860",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 4.0,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2017-09-25T16:29:00.443",
  "references": [
    {
      "source": "psirt@us.ibm.com",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "http://www.ibm.com/support/docview.wss?uid=swg22008588"
    },
    {
      "source": "psirt@us.ibm.com",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/100973"
    },
    {
      "source": "psirt@us.ibm.com",
      "tags": [
        "VDB Entry",
        "Vendor Advisory"
      ],
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/131545"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "http://www.ibm.com/support/docview.wss?uid=swg22008588"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/100973"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "VDB Entry",
        "Vendor Advisory"
      ],
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/131545"
    }
  ],
  "sourceIdentifier": "psirt@us.ibm.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2017-1555 (GCVE-0-2017-1555)

Vulnerability from cvelistv5

ghsa-6qpg-q62m-qghr

Vulnerability from github

cnvd-2017-34977

Vulnerability from cnvd

gsd-2017-1555

Vulnerability from gsd

fkie_cve-2017-1555

Vulnerability from fkie_nvd

Tags

Sightings

Nomenclature