CVE-2018-1778

Name of the Vulnerable Software and Affected Versions IBM LoopBack versions 2018.1, 2018.4.1, 5.0.8.0, and 5.0.8.4

Description The issue allows an attacker to bypass authentication if the AccessToken Model is exposed over a REST API. An attacker can create an AccessToken for any user, given they know the userId, and thus gain access to the user's data or privileges, including administrative privileges if the targeted user is an admin.

Recommendations For versions 2018.1, 2018.4.1, 5.0.8.0, and 5.0.8.4, restrict access to the AccessToken Model over REST API to prevent unauthorized access. As a temporary workaround, consider disabling the exposure of the AccessToken Model over REST API until a fix is available. Avoid using the userId in the affected API endpoint until the issue is resolved.