CVE-2022-34350

Name of the Vulnerable Software and Affected Versions IBM API Connect versions 10.0.0.0 through 10.0.5.0 IBM API Connect versions 10.0.1.0 through 10.0.1.7 IBM API Connect versions 2018.4.1.0 through 2018.4.1.20

Description The issue is caused by improper validation of user-supplied input, allowing a remote attacker to exploit the vulnerability and induce the application to perform server-side DNS lookups or HTTP requests to arbitrary domain names. By submitting suitable payloads, an attacker can cause the application server to attack other systems that it can interact with.

Recommendations For IBM API Connect versions 10.0.0.0 through 10.0.5.0, update to a version that properly validates user-supplied input to prevent External Service Interaction attacks. For IBM API Connect versions 10.0.1.0 through 10.0.1.7, update to a version that properly validates user-supplied input to prevent External Service Interaction attacks. For IBM API Connect versions 2018.4.1.0 through 2018.4.1.20, update to a version that properly validates user-supplied input to prevent External Service Interaction attacks. As a temporary workaround, consider restricting the application's ability to perform server-side DNS lookups or HTTP requests to arbitrary domain names until a patch is available.