CVE-2018-1778 Information
Feb 14, 2021
cve
Description
IBM LoopBack (IBM API Connect 2018.1 2018.4.1 5.0.8.0 and 5.0.8.4) could allow an attacker to bypass authentication if the AccessToken Model is exposed over a REST API it is then possible for anyone to create an AccessToken for any User provided they know the userId and can hence get access to the other user&195;&162;&194;&128;&194;&153;s data / access to their privileges (if the user happens to be an Admin for example). IBM X-Force ID: 148801.
CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Reference
http://www.ibm.com/support/docview.wss?uid=ibm10733883 http://www.securityfocus.com/bid/106313 https://exchange.xforce.ibmcloud.com/vulnerabilities/148801
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction Required
NONE
Scope
NONE
Confidentiality Impact
UNCHANGED
Integrity Impact
HIGH
Availability Impact
HIGH
Base Score
HIGH
Base Severity
8.1
Share on: