CVE-2018-1670

Vulnerability

IBM Financial Transaction Manager (FTM) for ACH Services (v3.0.2.0–3.0.2.1) and for Check Services (v3.0.0.0–3.0.0.15, v3.0.2.0–3.0.2.1, v3.0.5.0–3.0.5.1) on Multi-Platform write sensitive product configuration information into log files. An authenticated user with access to these logs can read the configuration data. [1][2]

Exploitation

An attacker must have valid authentication credentials to the FTM system and the ability to read log files (e.g., via file access or log viewing interfaces). No special privileges beyond authentication are required; the vulnerability is triggered simply by accessing the log files that contain the configuration details. [1][2]

Impact

Successful exploitation results in the disclosure of sensitive product configuration information, which could aid an attacker in further attacks. The CVSS v3.0 base score is 3.1 (Low), with a vector of AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N, indicating low confidentiality impact and no integrity or availability impact. [1][2]

Mitigation

IBM has not provided a fix or workaround in the available references. The security bulletins state "None" under Workarounds and Mitigations. Affected users should monitor IBM's support pages for future updates. [1][2]