Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
N/A
Vulnerability Description
It is possible to manipulate the JWT token without the knowledge of the JWT secret and authenticate without valid JWT token as any user. This is happening only in the situation when zOSMF doesn’t have the APAR PH12143 applied. This issue affects: 1.16 versions to 1.19. What happens is that the services using the ZAAS client or the API ML API to query will be deceived into believing the information in the JWT token is valid when it isn’t. It’s possible to use this to persuade the southbound service that different user is authenticated.
CVSS Information
N/A
Vulnerability Type
特权管理不恰当
Vulnerability Title
API Mediation Layer 授权问题漏洞
Vulnerability Description
API Mediation Layer是为大型机服务 REST API 提供单一访问点的API 中介层。 API Mediation Layer 1.16版本至1.19版本存在安全漏洞。攻击者利用该漏洞可以在不知道JWT秘密的情况下操纵JWT令牌。
CVSS Information
N/A
Vulnerability Type
N/A