PT-2021-12146 · Ibm · Ibm Api Connect
Published
2021-02-04
·
Updated
2021-02-05
·
CVE-2020-4640
CVSS v3.1
4.1
Medium
| Vector | AV:A/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
IBM API Connect versions 10.0.0.0 through 10.0.1.0
IBM API Connect versions 2018.4.1.0 through 2018.4.1.13
Description
Certain configurations can result in sensitive information being stored in URL fragment identifiers, which can be cached by intermediate nodes such as proxy servers, CDNs, and logging platforms. An attacker can exploit this information to impersonate a user.
Recommendations
For versions 10.0.0.0 through 10.0.1.0, consider reconfiguring the API to prevent sensitive information from being stored in URL fragment identifiers.
For versions 2018.4.1.0 through 2018.4.1.13, consider reconfiguring the API to prevent sensitive information from being stored in URL fragment identifiers.
As a temporary workaround, consider implementing measures to restrict access to cached sensitive information, such as configuring proxy servers and logging platforms to exclude URL fragment identifiers from caching.
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ibm Api Connect