IBM API Connect 10.0.0.0, and 2018.4.1.0 through 2018.4.1.13 does not restrict member registration to the intended recepient. An attacker who is a valid user in the user registry used by API Manager can use a stolen invitation link and register themselves as a member of an API provider organization. IBM X-Force ID: 196536.
References
Link | Resource |
---|---|
https://www.ibm.com/support/pages/node/6430107 | Vendor Advisory |
https://exchange.xforce.ibmcloud.com/vulnerabilities/196536 | VDB Entry Vendor Advisory |
Configurations
Configuration 1 (hide)
|
Information
Published : 2021-03-15 09:15
Updated : 2021-03-17 08:31
NVD link : CVE-2021-20440
Mitre link : CVE-2021-20440
JSON object : View
CWE
Products Affected
ibm
- api_connect