cnvd - cnvd-2015-01840

CNVD-2015-01840

Vulnerability from cnvd - Published: 2015-03-20

Title

IBM API Management信息泄露漏洞（CNVD-2015-01840）

Description

IBM API Management是IBM的一套完整的解决方案来帮助企业安全地创建、管理和连接应用程序接口(API),以便将其产品和服务拓展至各种移动渠道。 IBM API Management 3.0.4.1 之前的3.0版本存在信息泄露漏洞,允许已通过身份验证的远程用户通过未指定API调用获取敏感信息或修改数据。

Severity

中

Patch Name

IBM API Management信息泄露漏洞（CNVD-2015-01840）的补丁

Patch Description

IBM API Management是IBM的一套完整的解决方案来帮助企业安全地创建、管理和连接应用程序接口(API),以便将其产品和服务拓展至各种移动渠道。IBM API Management 3.0.4.1 之前的3.0版本存在信息泄露漏洞,允许已通过身份验证的远程用户通过未指定API调用获取敏感信息或修改数据。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

用户可参考如下厂商提供的安全公告获取补丁以修复该漏洞： http://www-01.ibm.com/support/docview.wss?uid=swg1LI78430

Reference

http://www-01.ibm.com/support/docview.wss?uid=swg1LI78430

Impacted products

Name
IBM API Management 3.0(<3.0.4.1)

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "73220"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2015-0149"
    }
  },
  "description": "IBM API Management\u662fIBM\u7684\u4e00\u5957\u5b8c\u6574\u7684\u89e3\u51b3\u65b9\u6848\u6765\u5e2e\u52a9\u4f01\u4e1a\u5b89\u5168\u5730\u521b\u5efa\u3001\u7ba1\u7406\u548c\u8fde\u63a5\u5e94\u7528\u7a0b\u5e8f\u63a5\u53e3(API),\u4ee5\u4fbf\u5c06\u5176\u4ea7\u54c1\u548c\u670d\u52a1\u62d3\u5c55\u81f3\u5404\u79cd\u79fb\u52a8\u6e20\u9053\u3002\r\n\r\nIBM API Management 3.0.4.1 \u4e4b\u524d\u76843.0\u7248\u672c\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e,\u5141\u8bb8\u5df2\u901a\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u7684\u8fdc\u7a0b\u7528\u6237\u901a\u8fc7\u672a\u6307\u5b9aAPI\u8c03\u7528\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u6216\u4fee\u6539\u6570\u636e\u3002",
  "discovererName": "IBM",
  "formalWay": "\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u5382\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u516c\u544a\u83b7\u53d6\u8865\u4e01\u4ee5\u4fee\u590d\u8be5\u6f0f\u6d1e\uff1a\r\nhttp://www-01.ibm.com/support/docview.wss?uid=swg1LI78430",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2015-01840",
  "openTime": "2015-03-20",
  "patchDescription": "IBM API Management\u662fIBM\u7684\u4e00\u5957\u5b8c\u6574\u7684\u89e3\u51b3\u65b9\u6848\u6765\u5e2e\u52a9\u4f01\u4e1a\u5b89\u5168\u5730\u521b\u5efa\u3001\u7ba1\u7406\u548c\u8fde\u63a5\u5e94\u7528\u7a0b\u5e8f\u63a5\u53e3(API),\u4ee5\u4fbf\u5c06\u5176\u4ea7\u54c1\u548c\u670d\u52a1\u62d3\u5c55\u81f3\u5404\u79cd\u79fb\u52a8\u6e20\u9053\u3002IBM API Management 3.0.4.1 \u4e4b\u524d\u76843.0\u7248\u672c\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e,\u5141\u8bb8\u5df2\u901a\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u7684\u8fdc\u7a0b\u7528\u6237\u901a\u8fc7\u672a\u6307\u5b9aAPI\u8c03\u7528\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u6216\u4fee\u6539\u6570\u636e\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "IBM API Management\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2015-01840\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "IBM API Management 3.0(\u003c3.0.4.1)"
  },
  "referenceLink": "http://www-01.ibm.com/support/docview.wss?uid=swg1LI78430",
  "serverity": "\u4e2d",
  "submitTime": "2015-03-19",
  "title": "IBM API Management\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2015-01840\uff09"
}

CVE-2015-0149 (GCVE-0-2015-0149)

Vulnerability from cvelistv5 – Published: 2015-03-18 10:00 – Updated: 2024-08-06 04:03

Summary

The developer portal in IBM API Management 3.0 before 3.0.4.1 does not properly restrict access to the public and private APIs, which allows remote authenticated users to obtain sensitive information or modify data via unspecified API calls.

Severity ?

No CVSS data available.

CWE

Assigner

ibm

References

URL

Tags

	http://www-01.ibm.com/support/docview.wss?uid=swg…	vendor-advisoryx_refsource_AIXAPAR
	http://www-01.ibm.com/support/docview.wss?uid=swg…	x_refsource_CONFIRM

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T04:03:10.372Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "LI78430",
            "tags": [
              "vendor-advisory",
              "x_refsource_AIXAPAR",
              "x_transferred"
            ],
            "url": "http://www-01.ibm.com/support/docview.wss?uid=swg1LI78430"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21696693"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2015-02-13T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The developer portal in IBM API Management 3.0 before 3.0.4.1 does not properly restrict access to the public and private APIs, which allows remote authenticated users to obtain sensitive information or modify data via unspecified API calls."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2015-03-18T07:57:00",
        "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "shortName": "ibm"
      },
      "references": [
        {
          "name": "LI78430",
          "tags": [
            "vendor-advisory",
            "x_refsource_AIXAPAR"
          ],
          "url": "http://www-01.ibm.com/support/docview.wss?uid=swg1LI78430"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21696693"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@us.ibm.com",
          "ID": "CVE-2015-0149",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The developer portal in IBM API Management 3.0 before 3.0.4.1 does not properly restrict access to the public and private APIs, which allows remote authenticated users to obtain sensitive information or modify data via unspecified API calls."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "LI78430",
              "refsource": "AIXAPAR",
              "url": "http://www-01.ibm.com/support/docview.wss?uid=swg1LI78430"
            },
            {
              "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21696693",
              "refsource": "CONFIRM",
              "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21696693"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
    "assignerShortName": "ibm",
    "cveId": "CVE-2015-0149",
    "datePublished": "2015-03-18T10:00:00",
    "dateReserved": "2014-11-18T00:00:00",
    "dateUpdated": "2024-08-06T04:03:10.372Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2015-01840

CVE-2015-0149 (GCVE-0-2015-0149)

Tags

Sightings

Nomenclature