CVE-2021-20440

{"id": "CVE-2021-20440", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Secondary", "source": "psirt@us.ibm.com", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 6.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.7, "exploitabilityScore": 1.6}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2021-03-15T16:15:13.217", "references": [{"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/196536", "tags": ["VDB Entry", "Vendor Advisory"], "source": "psirt@us.ibm.com"}, {"url": "https://www.ibm.com/support/pages/node/6430107", "tags": ["Vendor Advisory"], "source": "psirt@us.ibm.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "IBM API Connect 10.0.0.0, and 2018.4.1.0 through 2018.4.1.13 does not restrict member registration to the intended recepient. An attacker who is a valid user in the user registry used by API Manager can use a stolen invitation link and register themselves as a member of an API provider organization. IBM X-Force ID: 196536."}, {"lang": "es", "value": "IBM API Connect versiones 10.0.0.0 y 2018.4.1.0 hasta 2018.4.1.13, no restringe el registro de miembros al destinatario previsto. Un atacante que sea un usuario v\u00e1lido en el registro de usuarios usado por API Manager puede usar un enlace de invitaci\u00f3n robado y registrarse como miembro de una organizaci\u00f3n proveedora de API. IBM X-Force ID: 196536"}], "lastModified": "2021-03-17T15:31:21.580", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ibm:api_connect:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "403B95C9-40E9-4F9D-AE7D-5B3BC2ECE8A5", "versionEndIncluding": "2018.4.1.13", "versionStartIncluding": "2018.4.1.0"}, {"criteria": "cpe:2.3:a:ibm:api_connect:10.0.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AF48BB29-806D-4613-A1D8-77462461245E"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@us.ibm.com"}