CVE-2018-2009 - OpenCVE

IBM API Connect v2018.1 and 2018.4.1 is affected by an information disclosure vulnerability in the consumer API. Any registered user can obtain a list of all other users in all other orgs, including email id/names, etc. IBM X-Force ID: 155148.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Ibm	Api Connect

Configuration 1 [-]

cpe:2.3:a:ibm:api_connect:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://www.securityfocus.com/bid/107396
https://exchange.xforce.ibmcloud.com/vulnerabilities/155148
https://www.ibm.com/support/docview.wss?uid=ibm10794327

History

No history.

MITRE

Status: PUBLISHED

Assigner: ibm

Published: 2019-03-11T22:00:00Z

Updated: 2024-09-17T03:59:22.652Z

Reserved: 2017-12-13T00:00:00

Link: CVE-2018-2009

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-03-11T22:29:00.813

Modified: 2019-10-09T23:39:52.963

Link: CVE-2018-2009

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "API Connect", "vendor": "IBM", "versions": [{"status": "affected", "version": "2018.1"}, {"status": "affected", "version": "2018.4.1"}]}], "datePublic": "2019-03-05T00:00:00", "descriptions": [{"lang": "en", "value": "IBM API Connect v2018.1 and 2018.4.1 is affected by an information disclosure vulnerability in the consumer API. Any registered user can obtain a list of all other users in all other orgs, including email id/names, etc. IBM X-Force ID: 155148."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "exploitCodeMaturity": "UNPROVEN", "integrityImpact": "NONE", "privilegesRequired": "LOW", "remediationLevel": "OFFICIAL_FIX", "reportConfidence": "CONFIRMED", "scope": "UNCHANGED", "temporalScore": 5.7, "temporalSeverity": "MEDIUM", "userInteraction": "NONE", "vectorString": "CVSS:3.0/A:N/AC:L/AV:N/C:H/I:N/PR:L/S:U/UI:N/E:U/RC:C/RL:O", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"description": "Obtain Information", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-03-14T09:57:01", "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm"}, "references": [{"name": "107396", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/107396"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.ibm.com/support/docview.wss?uid=ibm10794327"}, {"name": "ibm-api-cve20182009-info-disc(155148)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/155148"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@us.ibm.com", "DATE_PUBLIC": "2019-03-05T00:00:00", "ID": "CVE-2018-2009", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "API Connect", "version": {"version_data": [{"version_value": "2018.1"}, {"version_value": "2018.4.1"}]}}]}, "vendor_name": "IBM"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "IBM API Connect v2018.1 and 2018.4.1 is affected by an information disclosure vulnerability in the consumer API. Any registered user can obtain a list of all other users in all other orgs, including email id/names, etc. IBM X-Force ID: 155148."}]}, "impact": {"cvssv3": {"BM": {"A": "N", "AC": "L", "AV": "N", "C": "H", "I": "N", "PR": "L", "S": "U", "UI": "N"}, "TM": {"E": "U", "RC": "C", "RL": "O"}}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Obtain Information"}]}]}, "references": {"reference_data": [{"name": "107396", "refsource": "BID", "url": "http://www.securityfocus.com/bid/107396"}, {"name": "https://www.ibm.com/support/docview.wss?uid=ibm10794327", "refsource": "CONFIRM", "url": "https://www.ibm.com/support/docview.wss?uid=ibm10794327"}, {"name": "ibm-api-cve20182009-info-disc(155148)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/155148"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T04:14:39.692Z"}, "title": "CVE Program Container", "references": [{"name": "107396", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/107396"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.ibm.com/support/docview.wss?uid=ibm10794327"}, {"name": "ibm-api-cve20182009-info-disc(155148)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/155148"}]}]}, "cveMetadata": {"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "assignerShortName": "ibm", "cveId": "CVE-2018-2009", "datePublished": "2019-03-11T22:00:00Z", "dateReserved": "2017-12-13T00:00:00", "dateUpdated": "2024-09-17T03:59:22.652Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ibm:api_connect:*:*:*:*:*:*:*:*", "matchCriteriaId": "7C567025-9080-4C12-9F27-005B2A7F5149", "versionEndIncluding": "2018.4.1.0", "versionStartIncluding": "2018.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "IBM API Connect v2018.1 and 2018.4.1 is affected by an information disclosure vulnerability in the consumer API. Any registered user can obtain a list of all other users in all other orgs, including email id/names, etc. IBM X-Force ID: 155148."}, {"lang": "es", "value": "IBM API Connect, en su versi\u00f3n v2018.1 y 2018.4.1, est\u00e1 afectado por una vulnerabilidad de divulgaci\u00f3n de informaci\u00f3n en la API del consumidor. Cualquier usuario registrado puede obtener una lista de todos los usuarios en otras p\u00e1ginas .org, incluyendo ID/nombres, etc. IBM X-Force ID: 155148."}], "id": "CVE-2018-2009", "lastModified": "2019-10-09T23:39:52.963", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "psirt@us.ibm.com", "type": "Secondary"}]}, "published": "2019-03-11T22:29:00.813", "references": [{"source": "psirt@us.ibm.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/107396"}, {"source": "psirt@us.ibm.com", "tags": ["VDB Entry", "Vendor Advisory"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/155148"}, {"source": "psirt@us.ibm.com", "tags": ["Vendor Advisory"], "url": "https://www.ibm.com/support/docview.wss?uid=ibm10794327"}], "sourceIdentifier": "psirt@us.ibm.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}