How severe is CVE-2023-28640?

This vulnerability has a severity rating of LOW with a CVSS score of 3.1 out of 10.

What type of vulnerability is CVE-2023-28640?

This is classified as CWE-269, which is a common weakness in software security.

CVE-2023-28640 - LOW Severity | CVSS 3.1

Vulnerability Description

Apiman is a flexible and open source API Management platform. Due to a missing permissions check, an attacker with an authenticated Apiman Manager account may be able to gain access to API keys they do not have permission for if they correctly guess the URL, which includes Organisation ID, Client ID, and Client Version of the targeted non-permitted resource. While not trivial to exploit, it could be achieved by brute-forcing or guessing common names. Access to the non-permitted API Keys could allow use of other users' resources without their permission (depending on the specifics of configuration, such as whether an API key is the only form of security). Apiman 3.1.0.Final resolved this issue. Users are advised to upgrade. The only known workaround is to restrict account access.

Related Vulnerabilities

CVE-2017-1150

LOW

CVSS:3.1(Low)

IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 10.1, 10.5, and 11.1 could allow an authenticated attacker with specialized access to tables that they should not be permitted to view...

CWE-2692017

CVE-2012-2148

LOW

CVSS:3.3(Low)

An issue exists in the property replacements feature in any descriptor in JBoxx AS 7.1.1 ignores java security policies

CWE-2692012

CVE-2017-5084

LOW

CVSS:3.3(Low)

Inappropriate implementation in image-burner in Google Chrome OS prior to 59.0.3071.92 allowed a local attacker to read local files via dbus-send commands to a BurnImage D-Bus endpoint.

CWE-2692017

CVE-2019-15332

LOW

CVSS:3.3(Low)

The Lava Z61 Android device with a build fingerprint of LAVA/Z61_2GB/Z61_2GB:8.1.0/O11019/1533889281:user/release-keys contains a pre-installed app with a package name of com.android.lava.powersave ap...

CWE-2692019

CVE-2020-16126

LOW

CVSS:3.3(Low)

An Ubuntu-specific modification to AccountsService in versions before 0.6.55-0ubuntu13.2, among other earlier versions, improperly dropped the ruid, allowing untrusted users to send signals to Account...

CWE-2692020

CVE-2020-4603

LOW

CVSS:3.3(Low)

IBM Security Guardium Insights 2.0.1 performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weak...

CWE-2692020