CVE-2020-4640

low-risk

Published 2021-02-04

Certain IBM API Connect 10.0.0.0 through 10.0.1.0 and 2018.4.1.0 through 2018.4.1.13 configurations can result in sensitive information in the URL fragment identifiers. This information can be cached in the intermediate nodes like proxy servers, cdn, logging platforms, etc. An attacker can make use of this information to perform attacks by impersonating a user. IBM X-Force ID: 185510.

Do I need to act?

0.08% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 4.1/10 Medium

ADJACENT_NETWORK / LOW complexity

Affected Products (3)

Api Connect

Affected Vendors

Ibm

References (4)

VDB Entry https://exchange.xforce.ibmcloud.com/vulnerabilities/185510

Vendor Advisory https://www.ibm.com/support/pages/node/6410486

VDB Entry https://exchange.xforce.ibmcloud.com/vulnerabilities/185510

Vendor Advisory https://www.ibm.com/support/pages/node/6410486

/ 100

low-risk

Severity 15/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 9/34 · Low