HTTP Header Injection Vulnerability in IBM API Connect
CVE-2020-4706

5.4MEDIUM

Key Information:

Vendor: IBM
Status: Api Connect
Vendor: CVE Published:; 17 August 2021

Summary

IBM API Connect versions 5.0.0.0 through 5.0.8.10 are susceptible to an HTTP header injection vulnerability due to insufficient validation of user input in the HOST headers. When an attacker sends a crafted HTTP request, they could manipulate the HOST header, thereby enabling a range of potential attacks, including cross-site scripting, cache poisoning, and session hijacking, exploiting the security weakness of the affected system.

Affected Version(s)

API Connect 5.0.0.0

API Connect 5.0.8.10

References

https://www.ibm.com/support/pages/node/6481879

x_refsource_CONFIRM

https://exchange.xforce.ibmcloud.com/vulnerabilities/187194

vdb-entryx_refsource_XF

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 17, 2021
Vulnerability Reserved
Dec 30, 2019