cve-2021-20440
Vulnerability from cvelistv5
Published
2021-03-15 15:30
Modified
2024-09-16 20:01
Severity ?
EPSS score ?
0.18%
(0.40347)
Summary
IBM API Connect 10.0.0.0, and 2018.4.1.0 through 2018.4.1.13 does not restrict member registration to the intended recepient. An attacker who is a valid user in the user registry used by API Manager can use a stolen invitation link and register themselves as a member of an API provider organization. IBM X-Force ID: 196536.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| psirt@us.ibm.com | https://exchange.xforce.ibmcloud.com/vulnerabilities/196536 | VDB Entry, Vendor Advisory | |
| psirt@us.ibm.com | https://www.ibm.com/support/pages/node/6430107 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://exchange.xforce.ibmcloud.com/vulnerabilities/196536 | VDB Entry, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.ibm.com/support/pages/node/6430107 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | API Connect |
Version: 2018.4.1.0 Version: 2018.4.1.13 Version: 10.0.0.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T17:37:24.339Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://www.ibm.com/support/pages/node/6430107", }, { name: "ibm-api-cve202120440-info-disc (196536)", tags: [ "vdb-entry", "x_refsource_XF", "x_transferred", ], url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/196536", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "API Connect", vendor: "IBM", versions: [ { status: "affected", version: "2018.4.1.0", }, { status: "affected", version: "2018.4.1.13", }, { status: "affected", version: "10.0.0.0", }, ], }, ], datePublic: "2021-03-14T00:00:00", descriptions: [ { lang: "en", value: "IBM API Connect 10.0.0.0, and 2018.4.1.0 through 2018.4.1.13 does not restrict member registration to the intended recepient. An attacker who is a valid user in the user registry used by API Manager can use a stolen invitation link and register themselves as a member of an API provider organization. IBM X-Force ID: 196536.", }, ], metrics: [ { cvssV3_0: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 6.4, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", exploitCodeMaturity: "UNPROVEN", integrityImpact: "LOW", privilegesRequired: "LOW", remediationLevel: "OFFICIAL_FIX", reportConfidence: "CONFIRMED", scope: "UNCHANGED", temporalScore: 5.6, temporalSeverity: "MEDIUM", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/PR:L/A:L/C:H/AC:H/S:U/I:L/UI:N/RC:C/RL:O/E:U", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { description: "Obtain Information", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2021-03-15T15:30:17", orgId: "9a959283-ebb5-44b6-b705-dcc2bbced522", shortName: "ibm", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://www.ibm.com/support/pages/node/6430107", }, { name: "ibm-api-cve202120440-info-disc (196536)", tags: [ "vdb-entry", "x_refsource_XF", ], url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/196536", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "psirt@us.ibm.com", DATE_PUBLIC: "2021-03-14T00:00:00", ID: "CVE-2021-20440", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "API Connect", version: { version_data: [ { version_value: "2018.4.1.0", }, { version_value: "2018.4.1.13", }, { version_value: "10.0.0.0", }, ], }, }, ], }, vendor_name: "IBM", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "IBM API Connect 10.0.0.0, and 2018.4.1.0 through 2018.4.1.13 does not restrict member registration to the intended recepient. An attacker who is a valid user in the user registry used by API Manager can use a stolen invitation link and register themselves as a member of an API provider organization. IBM X-Force ID: 196536.", }, ], }, impact: { cvssv3: { BM: { A: "L", AC: "H", AV: "N", C: "H", I: "L", PR: "L", S: "U", UI: "N", }, TM: { E: "U", RC: "C", RL: "O", }, }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Obtain Information", }, ], }, ], }, references: { reference_data: [ { name: "https://www.ibm.com/support/pages/node/6430107", refsource: "CONFIRM", title: "IBM Security Bulletin 6430107 (API Connect)", url: "https://www.ibm.com/support/pages/node/6430107", }, { name: "ibm-api-cve202120440-info-disc (196536)", refsource: "XF", title: "X-Force Vulnerability Report", url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/196536", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "9a959283-ebb5-44b6-b705-dcc2bbced522", assignerShortName: "ibm", cveId: "CVE-2021-20440", datePublished: "2021-03-15T15:30:17.410802Z", dateReserved: "2020-12-17T00:00:00", dateUpdated: "2024-09-16T20:01:51.745Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", "vulnerability-lookup:meta": { nvd: "{\"cve\":{\"id\":\"CVE-2021-20440\",\"sourceIdentifier\":\"psirt@us.ibm.com\",\"published\":\"2021-03-15T16:15:13.217\",\"lastModified\":\"2024-11-21T05:46:35.797\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"IBM API Connect 10.0.0.0, and 2018.4.1.0 through 2018.4.1.13 does not restrict member registration to the intended recepient. An attacker who is a valid user in the user registry used by API Manager can use a stolen invitation link and register themselves as a member of an API provider organization. IBM X-Force ID: 196536.\"},{\"lang\":\"es\",\"value\":\"IBM API Connect versiones 10.0.0.0 y 2018.4.1.0 hasta 2018.4.1.13, no restringe el registro de miembros al destinatario previsto. Un atacante que sea un usuario válido en el registro de usuarios usado por API Manager puede usar un enlace de invitación robado y registrarse como miembro de una organización proveedora de API. IBM X-Force ID: 196536\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}],\"cvssMetricV30\":[{\"source\":\"psirt@us.ibm.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L\",\"baseScore\":6.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":1.6,\"impactScore\":4.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:N/I:P/A:N\",\"baseScore\":4.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:api_connect:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2018.4.1.0\",\"versionEndIncluding\":\"2018.4.1.13\",\"matchCriteriaId\":\"403B95C9-40E9-4F9D-AE7D-5B3BC2ECE8A5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:api_connect:10.0.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"AF48BB29-806D-4613-A1D8-77462461245E\"}]}]}],\"references\":[{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/196536\",\"source\":\"psirt@us.ibm.com\",\"tags\":[\"VDB Entry\",\"Vendor Advisory\"]},{\"url\":\"https://www.ibm.com/support/pages/node/6430107\",\"source\":\"psirt@us.ibm.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/196536\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"VDB Entry\",\"Vendor Advisory\"]},{\"url\":\"https://www.ibm.com/support/pages/node/6430107\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}", }, }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
Title of the comment
Description of the comment
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.