Sensitive Information Exposure in IBM API Connect Product
CVE-2020-4640

3.4LOW

Key Information:

Vendor: IBM
Status: Api Connect
Vendor: CVE Published:; 4 February 2021

Summary

Certain configurations of IBM API Connect versions 10.0.0.0 to 10.0.1.0 and 2018.4.1.0 to 2018.4.1.13 may lead to exposure of sensitive information via URL fragment identifiers. This information can be cached by intermediary systems, such as proxy servers and logging platforms, potentially allowing an attacker to impersonate a user and exploit the exposed data for malicious activities.

Affected Version(s)

API Connect 2018.4.1.0

API Connect 2018.4.1.13

API Connect 10.0.0.0

References

https://www.ibm.com/support/pages/node/6410486

x_refsource_CONFIRM

https://exchange.xforce.ibmcloud.com/vulnerabilities/185510

vdb-entryx_refsource_XF

CVSS V3.1

Score:

3.4

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Adjacent Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Feb 4, 2021
Vulnerability Reserved
Dec 30, 2019