Search criteria
ⓘ
Use full-text search for keyword queries.
Combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by dates instead of relevance.
80 vulnerabilities found for datapower_gateway by ibm
CVE-2025-36375 (GCVE-0-2025-36375)
Vulnerability from nvd – Published: 2026-04-01 22:50 – Updated: 2026-04-03 13:56
VLAI?
Title
IBM DataPower Gateway vulnerable to CSRF
Summary
IBM DataPower Gateway 10.6CD 10.6.1.0 through 10.6.5.0 and IBM DataPower Gateway 10.5.0 10.5.0.0 through 10.5.0.20 and IBM DataPower Gateway 10.6.0 10.6.0.0 through 10.6.0.8 IBM DataPower Gateway is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.
Severity ?
6.5 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| IBM | DataPower Gateway 10.6CD |
Affected:
10.6.1.0 , ≤ 10.6.5.0
(semver)
cpe:2.3:a:ibm:datapower_gateway_106cd:10.6.1.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:datapower_gateway_106cd:10.6.5.0:*:*:*:*:*:*:* |
||||||||||||
|
||||||||||||||
Credits
Acknowledgement This vulnerability was reported to IBM by Maciej Włodarczyk & Michał Bartoszuk @ STM Cyber.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36375",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-03T13:45:08.878992Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T13:56:04.937Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:datapower_gateway_106cd:10.6.1.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:datapower_gateway_106cd:10.6.5.0:*:*:*:*:*:*:*"
],
"product": "DataPower Gateway 10.6CD",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "10.6.5.0",
"status": "affected",
"version": "10.6.1.0",
"versionType": "semver"
}
]
},
{
"cpes": [
"cpe:2.3:a:ibm:datapower_gateway_1050:10.5.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:datapower_gateway_1050:10.5.0.20:*:*:*:*:*:*:*"
],
"product": "DataPower Gateway 10.5.0",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "10.5.0.20",
"status": "affected",
"version": "10.5.0.0",
"versionType": "semver"
}
]
},
{
"cpes": [
"cpe:2.3:a:ibm:datapower_gateway_1060:10.6.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:datapower_gateway_1060:10.6.0.8:*:*:*:*:*:*:*"
],
"product": "DataPower Gateway 10.6.0",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "10.6.0.8",
"status": "affected",
"version": "10.6.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Acknowledgement This vulnerability was reported to IBM by Maciej W\u0142odarczyk \u0026 Micha\u0142 Bartoszuk @ STM Cyber."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM DataPower Gateway 10.6CD 10.6.1.0 through 10.6.5.0 and IBM DataPower Gateway 10.5.0 10.5.0.0 through 10.5.0.20 and IBM DataPower Gateway 10.6.0 10.6.0.0 through 10.6.0.8 IBM DataPower Gateway is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.\u003c/p\u003e"
}
],
"value": "IBM DataPower Gateway 10.6CD 10.6.1.0 through 10.6.5.0 and IBM DataPower Gateway 10.5.0 10.5.0.0 through 10.5.0.20 and IBM DataPower Gateway 10.6.0 10.6.0.0 through 10.6.0.8 IBM DataPower Gateway is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T22:50:51.697Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7268034"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cbr\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eAffected Product(s)\u003c/td\u003e\u003ctd\u003eFixed in Version\u003c/td\u003e\u003ctd\u003eFix link\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM DataPower Gateway 10.6CD 10.6.1.0 - 10.6.5.0\u003c/td\u003e\u003ctd\u003e10.6.6.0\u003c/td\u003e\u003ctd\u003e\u003ca href=\"https://www.ibm.com/docs/en/datapower-gateway/10.6.x?topic=overview-release-notes#relnotes__install__title__1\" rel=\"nofollow\"\u003eInstallation and Upgrade 10.6.x\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM DataPower Gateway 10.6.0\u0026nbsp; 10.6.0.0 - 10.6.0.8\u003c/td\u003e\u003ctd\u003e10.6.0.9\u003c/td\u003e\u003ctd\u003e\u003ca href=\"https://www.ibm.com/docs/en/datapower-gateway/10.6.0?topic=overview-release-notes#relnotes__install__title__1\" rel=\"nofollow\"\u003eInstallation and Upgrade 10.6.0\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM DataPower Gateway 10.5.0\u0026nbsp; 10.5.0.0 - 10.5.0.20\u003c/td\u003e\u003ctd\u003e10.5.0.21\u003c/td\u003e\u003ctd\u003e\u003ca href=\"https://www.ibm.com/docs/en/datapower-gateway/10.5.0?topic=overview-release-notes#relnotes__install__title__1\" rel=\"nofollow\"\u003eInstallation and Upgrade 10.5.0\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003c/div\u003e\u003cp\u003eIBM strongly recommends upgrading to a fixed version\u003c/p\u003e"
}
],
"value": "Affected Product(s)Fixed in VersionFix linkIBM DataPower Gateway 10.6CD 10.6.1.0 - 10.6.5.010.6.6.0 Installation and Upgrade 10.6.x https://www.ibm.com/docs/en/datapower-gateway/10.6.x IBM DataPower Gateway 10.6.0\u00a0 10.6.0.0 - 10.6.0.810.6.0.9 Installation and Upgrade 10.6.0 https://www.ibm.com/docs/en/datapower-gateway/10.6.0 IBM DataPower Gateway 10.5.0\u00a0 10.5.0.0 - 10.5.0.2010.5.0.21 Installation and Upgrade 10.5.0 https://www.ibm.com/docs/en/datapower-gateway/10.5.0 \n\nIBM strongly recommends upgrading to a fixed version"
}
],
"title": "IBM DataPower Gateway vulnerable to CSRF",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36375",
"datePublished": "2026-04-01T22:50:51.697Z",
"dateReserved": "2025-04-15T21:16:56.325Z",
"dateUpdated": "2026-04-03T13:56:04.937Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-36373 (GCVE-0-2025-36373)
Vulnerability from nvd – Published: 2026-04-01 20:47 – Updated: 2026-04-02 15:49
VLAI?
Title
Incorrect administrative access control in IBM DataPower Gateway
Summary
IBM DataPower Gateway 10.6CD 10.6.1.0 through 10.6.5.0 and IBM DataPower Gateway 10.5.0 10.5.0.0 through 10.5.0.20 and IBM DataPower Gateway 10.6.0 10.6.0.0 through 10.6.0.8 IBM DataPower Gateway could disclose sensitive system information from other domains to an administrative user.
Severity ?
4.1 (Medium)
CWE
- CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| IBM | DataPower Gateway 10.6CD |
Affected:
10.6.1.0 , ≤ 10.6.5.0
(semver)
cpe:2.3:a:ibm:datapower_gateway_106cd:10.6.1.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:datapower_gateway_106cd:10.6.5.0:*:*:*:*:*:*:* |
||||||||||||
|
||||||||||||||
Credits
Acknowledgement This vulnerability was reported to IBM by Michał Bartoszuk & Maciej Włodarczyk @ STM Cyber.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36373",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-02T15:48:55.294586Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T15:49:19.578Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:datapower_gateway_106cd:10.6.1.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:datapower_gateway_106cd:10.6.5.0:*:*:*:*:*:*:*"
],
"product": "DataPower Gateway 10.6CD",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "10.6.5.0",
"status": "affected",
"version": "10.6.1.0",
"versionType": "semver"
}
]
},
{
"cpes": [
"cpe:2.3:a:ibm:datapower_gateway_1050:10.5.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:datapower_gateway_1050:10.5.0.20:*:*:*:*:*:*:*"
],
"product": "DataPower Gateway 10.5.0",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "10.5.0.20",
"status": "affected",
"version": "10.5.0.0",
"versionType": "semver"
}
]
},
{
"cpes": [
"cpe:2.3:a:ibm:datapower_gateway_1060:10.6.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:datapower_gateway_1060:10.6.0.8:*:*:*:*:*:*:*"
],
"product": "DataPower Gateway 10.6.0",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "10.6.0.8",
"status": "affected",
"version": "10.6.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Acknowledgement This vulnerability was reported to IBM by Micha\u0142 Bartoszuk \u0026 Maciej W\u0142odarczyk @ STM Cyber."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM DataPower Gateway 10.6CD 10.6.1.0 through 10.6.5.0 and IBM DataPower Gateway 10.5.0 10.5.0.0 through 10.5.0.20 and IBM DataPower Gateway 10.6.0 10.6.0.0 through 10.6.0.8 IBM DataPower Gateway could disclose sensitive system information from other domains to an administrative user.\u003c/p\u003e"
}
],
"value": "IBM DataPower Gateway 10.6CD 10.6.1.0 through 10.6.5.0 and IBM DataPower Gateway 10.5.0 10.5.0.0 through 10.5.0.20 and IBM DataPower Gateway 10.6.0 10.6.0.0 through 10.6.0.8 IBM DataPower Gateway could disclose sensitive system information from other domains to an administrative user."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-497",
"description": "CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T20:49:32.409Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7267833"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eAffected Product(s)\u003c/td\u003e\u003ctd\u003eFixed in version\u003c/td\u003e\u003ctd\u003eFix list\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM DataPower Gateway 10.6CD 10.6.1.0 - 10.6.5.0\u003c/td\u003e\u003ctd\u003e10.6.6.0\u003c/td\u003e\u003ctd\u003e\u003ca href=\"https://www.ibm.com/docs/en/datapower-gateway/10.6.x?topic=overview-release-notes#relnotes__install__title__1\" rel=\"nofollow\"\u003eInstallation and Upgrade 10.6.x\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM DataPower Gateway 10.5.0.0 - 10.5.0.20\u003c/td\u003e\u003ctd\u003e10.5.0.21\u003c/td\u003e\u003ctd\u003e\u003ca href=\"https://www.ibm.com/docs/en/datapower-gateway/10.5.0?topic=overview-release-notes#relnotes__install__title__1\" rel=\"nofollow\"\u003eInstallation and Upgrade 10.5.0\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM DataPower Gateway 10.6.0.0 - 10.6.0.8\u003c/td\u003e\u003ctd\u003e10.6.0.9\u003c/td\u003e\u003ctd\u003e\u003ca href=\"https://www.ibm.com/docs/en/datapower-gateway/10.6.0?topic=overview-release-notes#relnotes__install__title__1\" rel=\"nofollow\"\u003eInstallation and Upgrade 10.6.0\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003c/div\u003e\u003cp\u003e\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Affected Product(s)Fixed in versionFix listIBM DataPower Gateway 10.6CD 10.6.1.0 - 10.6.5.010.6.6.0 Installation and Upgrade 10.6.x https://www.ibm.com/docs/en/datapower-gateway/10.6.x IBM DataPower Gateway 10.5.0.0 - 10.5.0.2010.5.0.21 Installation and Upgrade 10.5.0 https://www.ibm.com/docs/en/datapower-gateway/10.5.0 IBM DataPower Gateway 10.6.0.0 - 10.6.0.810.6.0.9 Installation and Upgrade 10.6.0 https://www.ibm.com/docs/en/datapower-gateway/10.6.0"
}
],
"title": "Incorrect administrative access control in IBM DataPower Gateway",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36373",
"datePublished": "2026-04-01T20:47:46.485Z",
"dateReserved": "2025-04-15T21:16:56.325Z",
"dateUpdated": "2026-04-02T15:49:19.578Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-40228 (GCVE-0-2022-40228)
Vulnerability from nvd – Published: 2022-11-22 18:52 – Updated: 2025-04-25 19:56
VLAI?
Title
IBM DataPower Gateway session fixation
Summary
IBM DataPower Gateway 10.0.3.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.9, 2018.4.1.0 through 2018.4.1.22, and 10.5.0.0 through 10.5.0.2 does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 235527.
Severity ?
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | DataPower Gateway |
Affected:
10.0.3.0 , < 10.0.4.0
(semver)
Affected: 10.0.1.0 , < 10.0.1.9 (semver) Affected: 2018.4.1.0 , < 2018.4.1.22 (semver) Affected: 10.5.0.0 , < 10.5.0.2 (semver) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:14:39.962Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.ibm.com/support/pages/node/6840759"
},
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/235527"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-40228",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-25T19:56:47.775668Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-25T19:56:58.200Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "DataPower Gateway",
"vendor": "IBM",
"versions": [
{
"lessThan": "10.0.4.0",
"status": "affected",
"version": "10.0.3.0",
"versionType": "semver"
},
{
"lessThan": "10.0.1.9",
"status": "affected",
"version": "10.0.1.0",
"versionType": "semver"
},
{
"lessThan": "2018.4.1.22",
"status": "affected",
"version": "2018.4.1.0",
"versionType": "semver"
},
{
"lessThan": "10.5.0.2",
"status": "affected",
"version": "10.5.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(204, 217, 226);\"\u003e\n\n\u003cspan style=\"background-color: rgb(204, 217, 226);\"\u003eIBM DataPower Gateway 10.0.3.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.9, 2018.4.1.0 through 2018.4.1.22, and 10.5.0.0 through 10.5.0.2 does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 235527.\u003c/span\u003e\n\n\u003c/span\u003e"
}
],
"value": "\n\n\nIBM DataPower Gateway 10.0.3.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.9, 2018.4.1.0 through 2018.4.1.22, and 10.5.0.0 through 10.5.0.2 does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 235527.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-22T18:52:13.196Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.ibm.com/support/pages/node/6840759"
},
{
"tags": [
"vdb-entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/235527"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM DataPower Gateway session fixation",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2022-40228",
"datePublished": "2022-11-22T18:52:13.196Z",
"dateReserved": "2022-09-08T15:59:19.267Z",
"dateUpdated": "2025-04-25T19:56:58.200Z",
"requesterUserId": "69938c14-a5a2-41ac-a450-71ed41911136",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-31773 (GCVE-0-2022-31773)
Vulnerability from nvd – Published: 2022-08-26 17:25 – Updated: 2024-09-16 18:50
VLAI?
Summary
IBM DataPower Gateway V10CD, 10.0.1, and 2018.4.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 228357.
Severity ?
CWE
- Gain Access
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | DataPower Gateway |
Affected:
2018.4.1.0
Affected: 10.0.1.0 Affected: 10.0.2.0 Affected: 10.0.4.0 Affected: 2018.4.1.21 Affected: 10.0.1.8 |
Date Public ?
2022-08-25 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:26:01.099Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.ibm.com/support/pages/node/6615307"
},
{
"name": "ibm-datapower-cve202231773-csrf (228357)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/228357"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "DataPower Gateway",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "2018.4.1.0"
},
{
"status": "affected",
"version": "10.0.1.0"
},
{
"status": "affected",
"version": "10.0.2.0"
},
{
"status": "affected",
"version": "10.0.4.0"
},
{
"status": "affected",
"version": "2018.4.1.21"
},
{
"status": "affected",
"version": "10.0.1.8"
}
]
}
],
"datePublic": "2022-08-25T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "IBM DataPower Gateway V10CD, 10.0.1, and 2018.4.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 228357."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitCodeMaturity": "UNPROVEN",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"remediationLevel": "OFFICIAL_FIX",
"reportConfidence": "CONFIRMED",
"scope": "UNCHANGED",
"temporalScore": 7.7,
"temporalSeverity": "HIGH",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/C:H/A:H/S:U/UI:R/I:H/AC:L/PR:N/AV:N/RC:C/E:U/RL:O",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Gain Access",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-26T17:25:12.000Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.ibm.com/support/pages/node/6615307"
},
{
"name": "ibm-datapower-cve202231773-csrf (228357)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/228357"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@us.ibm.com",
"DATE_PUBLIC": "2022-08-25T00:00:00",
"ID": "CVE-2022-31773",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "DataPower Gateway",
"version": {
"version_data": [
{
"version_value": "2018.4.1.0"
},
{
"version_value": "10.0.1.0"
},
{
"version_value": "10.0.2.0"
},
{
"version_value": "10.0.4.0"
},
{
"version_value": "2018.4.1.21"
},
{
"version_value": "10.0.1.8"
}
]
}
}
]
},
"vendor_name": "IBM"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "IBM DataPower Gateway V10CD, 10.0.1, and 2018.4.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 228357."
}
]
},
"impact": {
"cvssv3": {
"BM": {
"A": "H",
"AC": "L",
"AV": "N",
"C": "H",
"I": "H",
"PR": "N",
"S": "U",
"UI": "R"
},
"TM": {
"E": "U",
"RC": "C",
"RL": "O"
}
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Gain Access"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.ibm.com/support/pages/node/6615307",
"refsource": "CONFIRM",
"title": "IBM Security Bulletin 6615307 (DataPower Gateway)",
"url": "https://www.ibm.com/support/pages/node/6615307"
},
{
"name": "ibm-datapower-cve202231773-csrf (228357)",
"refsource": "XF",
"title": "X-Force Vulnerability Report",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/228357"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2022-31773",
"datePublished": "2022-08-26T17:25:12.579Z",
"dateReserved": "2022-05-27T00:00:00.000Z",
"dateUpdated": "2024-09-16T18:50:13.645Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-32750 (GCVE-0-2022-32750)
Vulnerability from nvd – Published: 2022-07-31 16:07 – Updated: 2024-09-16 16:23
VLAI?
Summary
IBM DataPower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.8, 10.5.0.0, and 2018.4.1.0 through 2018.4.1.21 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 228435.
Severity ?
CWE
- Cross-Site Scripting
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | DataPower Gateway |
Affected:
2018.4.1.0
Affected: 10.0.1.0 Affected: 10.0.2.0 Affected: 10.0.4.0 Affected: 2018.4.1.21 Affected: 10.1.0.8 Affected: 10.5.0.0 |
Date Public ?
2022-07-29 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:46:45.386Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.ibm.com/support/pages/node/6608600"
},
{
"name": "ibm-datapower-cve202232750-xss (228435)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/228435"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "DataPower Gateway",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "2018.4.1.0"
},
{
"status": "affected",
"version": "10.0.1.0"
},
{
"status": "affected",
"version": "10.0.2.0"
},
{
"status": "affected",
"version": "10.0.4.0"
},
{
"status": "affected",
"version": "2018.4.1.21"
},
{
"status": "affected",
"version": "10.1.0.8"
},
{
"status": "affected",
"version": "10.5.0.0"
}
]
}
],
"datePublic": "2022-07-29T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "IBM DataPower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.8, 10.5.0.0, and 2018.4.1.0 through 2018.4.1.21 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 228435."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitCodeMaturity": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"remediationLevel": "OFFICIAL_FIX",
"reportConfidence": "CONFIRMED",
"scope": "CHANGED",
"temporalScore": 5.2,
"temporalSeverity": "MEDIUM",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/PR:L/UI:R/C:L/AV:N/I:L/AC:L/S:C/A:N/E:H/RL:O/RC:C",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-31T16:07:48.000Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.ibm.com/support/pages/node/6608600"
},
{
"name": "ibm-datapower-cve202232750-xss (228435)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/228435"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@us.ibm.com",
"DATE_PUBLIC": "2022-07-29T00:00:00",
"ID": "CVE-2022-32750",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "DataPower Gateway",
"version": {
"version_data": [
{
"version_value": "2018.4.1.0"
},
{
"version_value": "10.0.1.0"
},
{
"version_value": "10.0.2.0"
},
{
"version_value": "10.0.4.0"
},
{
"version_value": "2018.4.1.21"
},
{
"version_value": "10.1.0.8"
},
{
"version_value": "10.5.0.0"
}
]
}
}
]
},
"vendor_name": "IBM"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "IBM DataPower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.8, 10.5.0.0, and 2018.4.1.0 through 2018.4.1.21 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 228435."
}
]
},
"impact": {
"cvssv3": {
"BM": {
"A": "N",
"AC": "L",
"AV": "N",
"C": "L",
"I": "L",
"PR": "L",
"S": "C",
"UI": "R"
},
"TM": {
"E": "H",
"RC": "C",
"RL": "O"
}
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.ibm.com/support/pages/node/6608600",
"refsource": "CONFIRM",
"title": "IBM Security Bulletin 6608600 (DataPower Gateway)",
"url": "https://www.ibm.com/support/pages/node/6608600"
},
{
"name": "ibm-datapower-cve202232750-xss (228435)",
"refsource": "XF",
"title": "X-Force Vulnerability Report",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/228435"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2022-32750",
"datePublished": "2022-07-31T16:07:48.901Z",
"dateReserved": "2022-06-09T00:00:00.000Z",
"dateUpdated": "2024-09-16T16:23:00.448Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-31776 (GCVE-0-2022-31776)
Vulnerability from nvd – Published: 2022-07-31 16:07 – Updated: 2024-09-17 04:20
VLAI?
Summary
IBM DataPower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.8, 10.5.0.0, and 2018.4.1.0 through 2018.4.1.21 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 228433.
Severity ?
CWE
- Gain Access
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | DataPower Gateway |
Affected:
2018.4.1.0
Affected: 10.0.1.0 Affected: 10.0.2.0 Affected: 10.0.4.0 Affected: 2018.4.1.21 Affected: 10.1.0.8 Affected: 10.5.0.0 |
Date Public ?
2022-07-29 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:26:01.231Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.ibm.com/support/pages/node/6608604"
},
{
"name": "ibm-datapower-cve202231776-ssrf (228433)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/228433"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "DataPower Gateway",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "2018.4.1.0"
},
{
"status": "affected",
"version": "10.0.1.0"
},
{
"status": "affected",
"version": "10.0.2.0"
},
{
"status": "affected",
"version": "10.0.4.0"
},
{
"status": "affected",
"version": "2018.4.1.21"
},
{
"status": "affected",
"version": "10.1.0.8"
},
{
"status": "affected",
"version": "10.5.0.0"
}
]
}
],
"datePublic": "2022-07-29T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "IBM DataPower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.8, 10.5.0.0, and 2018.4.1.0 through 2018.4.1.21 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 228433."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitCodeMaturity": "UNPROVEN",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"remediationLevel": "OFFICIAL_FIX",
"reportConfidence": "CONFIRMED",
"scope": "UNCHANGED",
"temporalScore": 5.7,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/UI:N/I:L/C:L/AV:N/PR:N/A:N/AC:L/S:U/RC:C/E:U/RL:O",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Gain Access",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-31T16:07:12.000Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.ibm.com/support/pages/node/6608604"
},
{
"name": "ibm-datapower-cve202231776-ssrf (228433)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/228433"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@us.ibm.com",
"DATE_PUBLIC": "2022-07-29T00:00:00",
"ID": "CVE-2022-31776",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "DataPower Gateway",
"version": {
"version_data": [
{
"version_value": "2018.4.1.0"
},
{
"version_value": "10.0.1.0"
},
{
"version_value": "10.0.2.0"
},
{
"version_value": "10.0.4.0"
},
{
"version_value": "2018.4.1.21"
},
{
"version_value": "10.1.0.8"
},
{
"version_value": "10.5.0.0"
}
]
}
}
]
},
"vendor_name": "IBM"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "IBM DataPower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.8, 10.5.0.0, and 2018.4.1.0 through 2018.4.1.21 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 228433."
}
]
},
"impact": {
"cvssv3": {
"BM": {
"A": "N",
"AC": "L",
"AV": "N",
"C": "L",
"I": "L",
"PR": "N",
"S": "U",
"UI": "N"
},
"TM": {
"E": "U",
"RC": "C",
"RL": "O"
}
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Gain Access"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.ibm.com/support/pages/node/6608604",
"refsource": "CONFIRM",
"title": "IBM Security Bulletin 6608604 (DataPower Gateway)",
"url": "https://www.ibm.com/support/pages/node/6608604"
},
{
"name": "ibm-datapower-cve202231776-ssrf (228433)",
"refsource": "XF",
"title": "X-Force Vulnerability Report",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/228433"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2022-31776",
"datePublished": "2022-07-31T16:07:13.000Z",
"dateReserved": "2022-05-27T00:00:00.000Z",
"dateUpdated": "2024-09-17T04:20:23.455Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-31775 (GCVE-0-2022-31775)
Vulnerability from nvd – Published: 2022-07-31 16:06 – Updated: 2024-09-16 19:46
VLAI?
Summary
IBM DataPower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.8, 10.5.0.0, and 2018.4.1.0 through 2018.4.1.21 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 228359.
Severity ?
CWE
- Denial of Service
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | DataPower Gateway |
Affected:
2018.4.1.0
Affected: 10.0.1.0 Affected: 10.0.2.0 Affected: 10.0.4.0 Affected: 10.5.0.0 Affected: 2018.4.1.20 Affected: 10.1.0.7 |
Date Public ?
2022-07-29 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:26:01.083Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.ibm.com/support/pages/node/6608608"
},
{
"name": "ibm-datapower-cve202231775-xxe (228359)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/228359"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "DataPower Gateway",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "2018.4.1.0"
},
{
"status": "affected",
"version": "10.0.1.0"
},
{
"status": "affected",
"version": "10.0.2.0"
},
{
"status": "affected",
"version": "10.0.4.0"
},
{
"status": "affected",
"version": "10.5.0.0"
},
{
"status": "affected",
"version": "2018.4.1.20"
},
{
"status": "affected",
"version": "10.1.0.7"
}
]
}
],
"datePublic": "2022-07-29T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "IBM DataPower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.8, 10.5.0.0, and 2018.4.1.0 through 2018.4.1.21 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 228359."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitCodeMaturity": "UNPROVEN",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"remediationLevel": "OFFICIAL_FIX",
"reportConfidence": "CONFIRMED",
"scope": "UNCHANGED",
"temporalScore": 4.8,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AC:L/S:U/A:H/PR:H/UI:N/I:N/AV:N/C:L/E:U/RL:O/RC:C",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Denial of Service",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-31T16:06:37.000Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.ibm.com/support/pages/node/6608608"
},
{
"name": "ibm-datapower-cve202231775-xxe (228359)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/228359"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@us.ibm.com",
"DATE_PUBLIC": "2022-07-29T00:00:00",
"ID": "CVE-2022-31775",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "DataPower Gateway",
"version": {
"version_data": [
{
"version_value": "2018.4.1.0"
},
{
"version_value": "10.0.1.0"
},
{
"version_value": "10.0.2.0"
},
{
"version_value": "10.0.4.0"
},
{
"version_value": "10.5.0.0"
},
{
"version_value": "2018.4.1.20"
},
{
"version_value": "10.1.0.7"
}
]
}
}
]
},
"vendor_name": "IBM"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "IBM DataPower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.8, 10.5.0.0, and 2018.4.1.0 through 2018.4.1.21 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 228359."
}
]
},
"impact": {
"cvssv3": {
"BM": {
"A": "H",
"AC": "L",
"AV": "N",
"C": "L",
"I": "N",
"PR": "H",
"S": "U",
"UI": "N"
},
"TM": {
"E": "U",
"RC": "C",
"RL": "O"
}
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.ibm.com/support/pages/node/6608608",
"refsource": "CONFIRM",
"title": "IBM Security Bulletin 6608608 (DataPower Gateway)",
"url": "https://www.ibm.com/support/pages/node/6608608"
},
{
"name": "ibm-datapower-cve202231775-xxe (228359)",
"refsource": "XF",
"title": "X-Force Vulnerability Report",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/228359"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2022-31775",
"datePublished": "2022-07-31T16:06:37.375Z",
"dateReserved": "2022-05-27T00:00:00.000Z",
"dateUpdated": "2024-09-16T19:46:54.483Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-31774 (GCVE-0-2022-31774)
Vulnerability from nvd – Published: 2022-07-31 16:05 – Updated: 2024-09-16 20:16
VLAI?
Summary
IBM DataPower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.8, 10.5.0.0, and 2018.4.1.0 through 2018.4.1.21 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 228358.
Severity ?
CWE
- Cross-Site Scripting
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | DataPower Gateway |
Affected:
2018.4.1.0
Affected: 10.0.1.0 Affected: 10.0.2.0 Affected: 10.0.4.0 Affected: 2018.4.1.21 Affected: 10.1.0.8 Affected: 10.5.0.0 |
Date Public ?
2022-07-29 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:26:01.284Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.ibm.com/support/pages/node/6608600"
},
{
"name": "ibm-datapower-cve202231774-xss (228358)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/228358"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "DataPower Gateway",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "2018.4.1.0"
},
{
"status": "affected",
"version": "10.0.1.0"
},
{
"status": "affected",
"version": "10.0.2.0"
},
{
"status": "affected",
"version": "10.0.4.0"
},
{
"status": "affected",
"version": "2018.4.1.21"
},
{
"status": "affected",
"version": "10.1.0.8"
},
{
"status": "affected",
"version": "10.5.0.0"
}
]
}
],
"datePublic": "2022-07-29T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "IBM DataPower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.8, 10.5.0.0, and 2018.4.1.0 through 2018.4.1.21 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 228358."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitCodeMaturity": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"remediationLevel": "OFFICIAL_FIX",
"reportConfidence": "CONFIRMED",
"scope": "CHANGED",
"temporalScore": 5.2,
"temporalSeverity": "MEDIUM",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/A:N/AC:L/S:C/UI:R/C:L/AV:N/I:L/PR:L/RC:C/RL:O/E:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-31T16:05:55.000Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.ibm.com/support/pages/node/6608600"
},
{
"name": "ibm-datapower-cve202231774-xss (228358)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/228358"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@us.ibm.com",
"DATE_PUBLIC": "2022-07-29T00:00:00",
"ID": "CVE-2022-31774",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "DataPower Gateway",
"version": {
"version_data": [
{
"version_value": "2018.4.1.0"
},
{
"version_value": "10.0.1.0"
},
{
"version_value": "10.0.2.0"
},
{
"version_value": "10.0.4.0"
},
{
"version_value": "2018.4.1.21"
},
{
"version_value": "10.1.0.8"
},
{
"version_value": "10.5.0.0"
}
]
}
}
]
},
"vendor_name": "IBM"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "IBM DataPower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.8, 10.5.0.0, and 2018.4.1.0 through 2018.4.1.21 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 228358."
}
]
},
"impact": {
"cvssv3": {
"BM": {
"A": "N",
"AC": "L",
"AV": "N",
"C": "L",
"I": "L",
"PR": "L",
"S": "C",
"UI": "R"
},
"TM": {
"E": "H",
"RC": "C",
"RL": "O"
}
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.ibm.com/support/pages/node/6608600",
"refsource": "CONFIRM",
"title": "IBM Security Bulletin 6608600 (DataPower Gateway)",
"url": "https://www.ibm.com/support/pages/node/6608600"
},
{
"name": "ibm-datapower-cve202231774-xss (228358)",
"refsource": "XF",
"title": "X-Force Vulnerability Report",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/228358"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2022-31774",
"datePublished": "2022-07-31T16:05:55.923Z",
"dateReserved": "2022-05-27T00:00:00.000Z",
"dateUpdated": "2024-09-16T20:16:42.239Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-22326 (GCVE-0-2022-22326)
Vulnerability from nvd – Published: 2022-07-31 16:05 – Updated: 2024-09-16 18:03
VLAI?
Summary
IBM Datapower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.5, and 2018.4.1.0 through 2018.4.1.18 could allow unauthorized viewing of logs and files due to insufficient authorization checks. IBM X-Force ID: 218856.
Severity ?
CWE
- Obtain Information
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | DataPower Gateway |
Affected:
2018.4.1.0
Affected: 10.0.1.0 Affected: 10.0.2.0 Affected: 10.0.4.0 Affected: 2018.4.1.18 Affected: 10.1.0.5 |
Date Public ?
2022-07-29 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:07:50.310Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.ibm.com/support/pages/node/6560048"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.ibm.com/support/pages/node/6608598"
},
{
"name": "ibm-mq-cve202222326-info-disc (218856)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/218856"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "DataPower Gateway",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "2018.4.1.0"
},
{
"status": "affected",
"version": "10.0.1.0"
},
{
"status": "affected",
"version": "10.0.2.0"
},
{
"status": "affected",
"version": "10.0.4.0"
},
{
"status": "affected",
"version": "2018.4.1.18"
},
{
"status": "affected",
"version": "10.1.0.5"
}
]
}
],
"datePublic": "2022-07-29T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "IBM Datapower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.5, and 2018.4.1.0 through 2018.4.1.18 could allow unauthorized viewing of logs and files due to insufficient authorization checks. IBM X-Force ID: 218856."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitCodeMaturity": "UNPROVEN",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"remediationLevel": "OFFICIAL_FIX",
"reportConfidence": "CONFIRMED",
"scope": "UNCHANGED",
"temporalScore": 3.5,
"temporalSeverity": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/A:N/S:U/AC:L/I:N/C:L/AV:L/UI:N/PR:N/E:U/RL:O/RC:C",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Obtain Information",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-31T16:05:24.000Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.ibm.com/support/pages/node/6560048"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.ibm.com/support/pages/node/6608598"
},
{
"name": "ibm-mq-cve202222326-info-disc (218856)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/218856"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@us.ibm.com",
"DATE_PUBLIC": "2022-07-29T00:00:00",
"ID": "CVE-2022-22326",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "DataPower Gateway",
"version": {
"version_data": [
{
"version_value": "2018.4.1.0"
},
{
"version_value": "10.0.1.0"
},
{
"version_value": "10.0.2.0"
},
{
"version_value": "10.0.4.0"
},
{
"version_value": "2018.4.1.18"
},
{
"version_value": "10.1.0.5"
}
]
}
}
]
},
"vendor_name": "IBM"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "IBM Datapower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.5, and 2018.4.1.0 through 2018.4.1.18 could allow unauthorized viewing of logs and files due to insufficient authorization checks. IBM X-Force ID: 218856."
}
]
},
"impact": {
"cvssv3": {
"BM": {
"A": "N",
"AC": "L",
"AV": "L",
"C": "L",
"I": "N",
"PR": "N",
"S": "U",
"UI": "N"
},
"TM": {
"E": "U",
"RC": "C",
"RL": "O"
}
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Obtain Information"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.ibm.com/support/pages/node/6560048",
"refsource": "CONFIRM",
"title": "IBM Security Bulletin 6560048 (MQ Appliance)",
"url": "https://www.ibm.com/support/pages/node/6560048"
},
{
"name": "https://www.ibm.com/support/pages/node/6608598",
"refsource": "CONFIRM",
"title": "IBM Security Bulletin 6608598 (DataPower Gateway)",
"url": "https://www.ibm.com/support/pages/node/6608598"
},
{
"name": "ibm-mq-cve202222326-info-disc (218856)",
"refsource": "XF",
"title": "X-Force Vulnerability Report",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/218856"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2022-22326",
"datePublished": "2022-07-31T16:05:25.070Z",
"dateReserved": "2022-01-03T00:00:00.000Z",
"dateUpdated": "2024-09-16T18:03:08.743Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-38944 (GCVE-0-2021-38944)
Vulnerability from nvd – Published: 2022-05-18 19:30 – Updated: 2024-09-16 22:10
VLAI?
Summary
IBM DataPower Gateway 10.0.2.0 through 1.0.3.0, 10.0.1.0 through 10.0.1.5, and 2018.4.1.0 through 2018.4.1.18 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM X-Force ID: 211236.
Severity ?
CWE
- Gain Access
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | DataPower Gateway |
Affected:
2018.4.1.0
Affected: 10.0.1.0 Affected: 10.0.2.0 Affected: 10.0.1.5 Affected: 10.0.3.0 Affected: 2018.4.1.18 |
Date Public ?
2022-05-17 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:51:20.786Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.ibm.com/support/pages/node/6587070"
},
{
"name": "ibm-datapower-cve202138944-header-injection (211236)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/211236"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "DataPower Gateway",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "2018.4.1.0"
},
{
"status": "affected",
"version": "10.0.1.0"
},
{
"status": "affected",
"version": "10.0.2.0"
},
{
"status": "affected",
"version": "10.0.1.5"
},
{
"status": "affected",
"version": "10.0.3.0"
},
{
"status": "affected",
"version": "2018.4.1.18"
}
]
}
],
"datePublic": "2022-05-17T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "IBM DataPower Gateway 10.0.2.0 through 1.0.3.0, 10.0.1.0 through 10.0.1.5, and 2018.4.1.0 through 2018.4.1.18 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM X-Force ID: 211236."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitCodeMaturity": "UNPROVEN",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"remediationLevel": "OFFICIAL_FIX",
"reportConfidence": "CONFIRMED",
"scope": "UNCHANGED",
"temporalScore": 4.2,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/C:L/A:N/I:L/UI:N/PR:N/S:U/AC:H/E:U/RC:C/RL:O",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Gain Access",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-18T19:30:12.000Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.ibm.com/support/pages/node/6587070"
},
{
"name": "ibm-datapower-cve202138944-header-injection (211236)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/211236"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@us.ibm.com",
"DATE_PUBLIC": "2022-05-17T00:00:00",
"ID": "CVE-2021-38944",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "DataPower Gateway",
"version": {
"version_data": [
{
"version_value": "2018.4.1.0"
},
{
"version_value": "10.0.1.0"
},
{
"version_value": "10.0.2.0"
},
{
"version_value": "10.0.1.5"
},
{
"version_value": "10.0.3.0"
},
{
"version_value": "2018.4.1.18"
}
]
}
}
]
},
"vendor_name": "IBM"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "IBM DataPower Gateway 10.0.2.0 through 1.0.3.0, 10.0.1.0 through 10.0.1.5, and 2018.4.1.0 through 2018.4.1.18 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM X-Force ID: 211236."
}
]
},
"impact": {
"cvssv3": {
"BM": {
"A": "N",
"AC": "H",
"AV": "N",
"C": "L",
"I": "L",
"PR": "N",
"S": "U",
"UI": "N"
},
"TM": {
"E": "U",
"RC": "C",
"RL": "O"
}
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Gain Access"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.ibm.com/support/pages/node/6587070",
"refsource": "CONFIRM",
"title": "IBM Security Bulletin 6587070 (DataPower Gateway)",
"url": "https://www.ibm.com/support/pages/node/6587070"
},
{
"name": "ibm-datapower-cve202138944-header-injection (211236)",
"refsource": "XF",
"title": "X-Force Vulnerability Report",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/211236"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2021-38944",
"datePublished": "2022-05-18T19:30:12.525Z",
"dateReserved": "2021-08-16T00:00:00.000Z",
"dateUpdated": "2024-09-16T22:10:33.765Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-38872 (GCVE-0-2021-38872)
Vulnerability from nvd – Published: 2022-05-17 16:25 – Updated: 2024-09-16 18:17
VLAI?
Summary
IBM DataPower Gateway 10.0.2.0, 10.0.3.0, 10.0.1.0 through 10.0.1.4, and 2018.4.1.0 through 2018.4.1.17 could allow a remote user to cause a denial of service by consuming resources with multiple requests. IBM X-Force ID: 208348.
Severity ?
CWE
- Denial of Service
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | DataPower Gateway |
Affected:
2018.4.1.0
Affected: 10.0.1.0 Affected: 10.0.1.4 Affected: 10.0.2.0 Affected: 10.0.3.0 Affected: 2018.4.1.17 |
Date Public ?
2022-05-16 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:51:20.273Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.ibm.com/support/pages/node/6586704"
},
{
"name": "ibm-datapower-cve202138872-dos (208348)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/208348"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "DataPower Gateway",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "2018.4.1.0"
},
{
"status": "affected",
"version": "10.0.1.0"
},
{
"status": "affected",
"version": "10.0.1.4"
},
{
"status": "affected",
"version": "10.0.2.0"
},
{
"status": "affected",
"version": "10.0.3.0"
},
{
"status": "affected",
"version": "2018.4.1.17"
}
]
}
],
"datePublic": "2022-05-16T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "IBM DataPower Gateway 10.0.2.0, 10.0.3.0, 10.0.1.0 through 10.0.1.4, and 2018.4.1.0 through 2018.4.1.17 could allow a remote user to cause a denial of service by consuming resources with multiple requests. IBM X-Force ID: 208348."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"exploitCodeMaturity": "UNPROVEN",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"remediationLevel": "OFFICIAL_FIX",
"reportConfidence": "CONFIRMED",
"scope": "UNCHANGED",
"temporalScore": 4.6,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/PR:N/I:N/C:N/AV:N/A:L/AC:L/UI:N/S:U/RL:O/E:U/RC:C",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Denial of Service",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-17T16:25:21.000Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.ibm.com/support/pages/node/6586704"
},
{
"name": "ibm-datapower-cve202138872-dos (208348)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/208348"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@us.ibm.com",
"DATE_PUBLIC": "2022-05-16T00:00:00",
"ID": "CVE-2021-38872",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "DataPower Gateway",
"version": {
"version_data": [
{
"version_value": "2018.4.1.0"
},
{
"version_value": "10.0.1.0"
},
{
"version_value": "10.0.1.4"
},
{
"version_value": "10.0.2.0"
},
{
"version_value": "10.0.3.0"
},
{
"version_value": "2018.4.1.17"
}
]
}
}
]
},
"vendor_name": "IBM"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "IBM DataPower Gateway 10.0.2.0, 10.0.3.0, 10.0.1.0 through 10.0.1.4, and 2018.4.1.0 through 2018.4.1.17 could allow a remote user to cause a denial of service by consuming resources with multiple requests. IBM X-Force ID: 208348."
}
]
},
"impact": {
"cvssv3": {
"BM": {
"A": "L",
"AC": "L",
"AV": "N",
"C": "N",
"I": "N",
"PR": "N",
"S": "U",
"UI": "N"
},
"TM": {
"E": "U",
"RC": "C",
"RL": "O"
}
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.ibm.com/support/pages/node/6586704",
"refsource": "CONFIRM",
"title": "IBM Security Bulletin 6586704 (DataPower Gateway)",
"url": "https://www.ibm.com/support/pages/node/6586704"
},
{
"name": "ibm-datapower-cve202138872-dos (208348)",
"refsource": "XF",
"title": "X-Force Vulnerability Report",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/208348"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2021-38872",
"datePublished": "2022-05-17T16:25:21.862Z",
"dateReserved": "2021-08-16T00:00:00.000Z",
"dateUpdated": "2024-09-16T18:17:59.500Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-4994 (GCVE-0-2020-4994)
Vulnerability from nvd – Published: 2022-05-17 16:25 – Updated: 2024-09-16 23:01
VLAI?
Summary
IBM DataPower Gateway 10.0.1.0 through 10.0.1.4 and 2018.4.1.0 through 2018.4.1.17 could allow a remote user to cause a temporary denial of service by sending invalid HTTP requests. IBM X-Force ID: 192906.
Severity ?
CWE
- Denial of Service
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | DataPower Gateway |
Affected:
2018.4.1.0
Affected: 10.0.1.0 Affected: 10.0.1.4 Affected: 2018.4.1.17 |
Date Public ?
2022-05-16 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:22:08.181Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.ibm.com/support/pages/node/6586526"
},
{
"name": "ibm-datapower-cve20204994-dos (192906)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/192906"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "DataPower Gateway",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "2018.4.1.0"
},
{
"status": "affected",
"version": "10.0.1.0"
},
{
"status": "affected",
"version": "10.0.1.4"
},
{
"status": "affected",
"version": "2018.4.1.17"
}
]
}
],
"datePublic": "2022-05-16T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "IBM DataPower Gateway 10.0.1.0 through 10.0.1.4 and 2018.4.1.0 through 2018.4.1.17 could allow a remote user to cause a temporary denial of service by sending invalid HTTP requests. IBM X-Force ID: 192906."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"exploitCodeMaturity": "UNPROVEN",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"remediationLevel": "OFFICIAL_FIX",
"reportConfidence": "CONFIRMED",
"scope": "UNCHANGED",
"temporalScore": 4.6,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/PR:N/A:L/I:N/AV:N/C:N/S:U/UI:N/AC:L/RC:C/RL:O/E:U",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Denial of Service",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-17T16:25:18.000Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.ibm.com/support/pages/node/6586526"
},
{
"name": "ibm-datapower-cve20204994-dos (192906)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/192906"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@us.ibm.com",
"DATE_PUBLIC": "2022-05-16T00:00:00",
"ID": "CVE-2020-4994",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "DataPower Gateway",
"version": {
"version_data": [
{
"version_value": "2018.4.1.0"
},
{
"version_value": "10.0.1.0"
},
{
"version_value": "10.0.1.4"
},
{
"version_value": "2018.4.1.17"
}
]
}
}
]
},
"vendor_name": "IBM"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "IBM DataPower Gateway 10.0.1.0 through 10.0.1.4 and 2018.4.1.0 through 2018.4.1.17 could allow a remote user to cause a temporary denial of service by sending invalid HTTP requests. IBM X-Force ID: 192906."
}
]
},
"impact": {
"cvssv3": {
"BM": {
"A": "L",
"AC": "L",
"AV": "N",
"C": "N",
"I": "N",
"PR": "N",
"S": "U",
"UI": "N"
},
"TM": {
"E": "U",
"RC": "C",
"RL": "O"
}
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.ibm.com/support/pages/node/6586526",
"refsource": "CONFIRM",
"title": "IBM Security Bulletin 6586526 (DataPower Gateway)",
"url": "https://www.ibm.com/support/pages/node/6586526"
},
{
"name": "ibm-datapower-cve20204994-dos (192906)",
"refsource": "XF",
"title": "X-Force Vulnerability Report",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/192906"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2020-4994",
"datePublished": "2022-05-17T16:25:18.615Z",
"dateReserved": "2019-12-30T00:00:00.000Z",
"dateUpdated": "2024-09-16T23:01:02.031Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-38910 (GCVE-0-2021-38910)
Vulnerability from nvd – Published: 2022-03-10 19:50 – Updated: 2024-09-16 19:31
VLAI?
Summary
IBM DataPower Gateway V10CD, 10.0.1, and 2108.4.1 could allow a remote attacker to bypass security restrictions, caused by the improper validation of input. By sending a specially crafted JSON message, an attacker could exploit this vulnerability to modify structure and fields. IBM X-Force ID: 209824.
Severity ?
CWE
- Bypass Security
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | DataPower Gateway |
Affected:
2018.4.1.0
Affected: 10.0.1.0 Affected: 10.0.2.0 Affected: 10.0.1.5 Affected: 10.0.3.0 Affected: 2108.4.1.18 |
Date Public ?
2022-03-09 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:51:20.664Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.ibm.com/support/pages/node/6562347"
},
{
"name": "ibm-datapower-cve202138910-sec-bypass (209824)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/209824"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "DataPower Gateway",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "2018.4.1.0"
},
{
"status": "affected",
"version": "10.0.1.0"
},
{
"status": "affected",
"version": "10.0.2.0"
},
{
"status": "affected",
"version": "10.0.1.5"
},
{
"status": "affected",
"version": "10.0.3.0"
},
{
"status": "affected",
"version": "2108.4.1.18"
}
]
}
],
"datePublic": "2022-03-09T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "IBM DataPower Gateway V10CD, 10.0.1, and 2108.4.1 could allow a remote attacker to bypass security restrictions, caused by the improper validation of input. By sending a specially crafted JSON message, an attacker could exploit this vulnerability to modify structure and fields. IBM X-Force ID: 209824."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"exploitCodeMaturity": "UNPROVEN",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"remediationLevel": "OFFICIAL_FIX",
"reportConfidence": "CONFIRMED",
"scope": "UNCHANGED",
"temporalScore": 3.2,
"temporalSeverity": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/UI:N/AC:H/I:L/A:N/PR:N/AV:N/C:N/S:U/RL:O/E:U/RC:C",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Bypass Security",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-10T19:50:21.000Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.ibm.com/support/pages/node/6562347"
},
{
"name": "ibm-datapower-cve202138910-sec-bypass (209824)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/209824"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@us.ibm.com",
"DATE_PUBLIC": "2022-03-09T00:00:00",
"ID": "CVE-2021-38910",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "DataPower Gateway",
"version": {
"version_data": [
{
"version_value": "2018.4.1.0"
},
{
"version_value": "10.0.1.0"
},
{
"version_value": "10.0.2.0"
},
{
"version_value": "10.0.1.5"
},
{
"version_value": "10.0.3.0"
},
{
"version_value": "2108.4.1.18"
}
]
}
}
]
},
"vendor_name": "IBM"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "IBM DataPower Gateway V10CD, 10.0.1, and 2108.4.1 could allow a remote attacker to bypass security restrictions, caused by the improper validation of input. By sending a specially crafted JSON message, an attacker could exploit this vulnerability to modify structure and fields. IBM X-Force ID: 209824."
}
]
},
"impact": {
"cvssv3": {
"BM": {
"A": "N",
"AC": "H",
"AV": "N",
"C": "N",
"I": "L",
"PR": "N",
"S": "U",
"UI": "N"
},
"TM": {
"E": "U",
"RC": "C",
"RL": "O"
}
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Bypass Security"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.ibm.com/support/pages/node/6562347",
"refsource": "CONFIRM",
"title": "IBM Security Bulletin 6562347 (DataPower Gateway)",
"url": "https://www.ibm.com/support/pages/node/6562347"
},
{
"name": "ibm-datapower-cve202138910-sec-bypass (209824)",
"refsource": "XF",
"title": "X-Force Vulnerability Report",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/209824"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2021-38910",
"datePublished": "2022-03-10T19:50:22.002Z",
"dateReserved": "2021-08-16T00:00:00.000Z",
"dateUpdated": "2024-09-16T19:31:42.892Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-4992 (GCVE-0-2020-4992)
Vulnerability from nvd – Published: 2021-08-17 13:55 – Updated: 2024-09-16 19:09
VLAI?
Summary
IBM DataPower Gateway 2018.4.1.0 through 2018.4.1.16 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 192737.
Severity ?
CWE
- Gain Access
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | DataPower Gateway |
Affected:
2018.4.1.0
Affected: 2018.4.1.16 |
Date Public ?
2021-08-16 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:22:07.565Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.ibm.com/support/pages/node/6481679"
},
{
"name": "ibm-datapower-cve20204992-csrf (192737)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/192737"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "DataPower Gateway",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "2018.4.1.0"
},
{
"status": "affected",
"version": "2018.4.1.16"
}
]
}
],
"datePublic": "2021-08-16T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "IBM DataPower Gateway 2018.4.1.0 through 2018.4.1.16 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 192737."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"exploitCodeMaturity": "UNPROVEN",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"remediationLevel": "OFFICIAL_FIX",
"reportConfidence": "CONFIRMED",
"scope": "UNCHANGED",
"temporalScore": 3.8,
"temporalSeverity": "LOW",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/UI:R/S:U/AV:N/A:N/I:L/PR:N/AC:L/C:N/RL:O/E:U/RC:C",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Gain Access",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-17T13:55:13.000Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.ibm.com/support/pages/node/6481679"
},
{
"name": "ibm-datapower-cve20204992-csrf (192737)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/192737"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@us.ibm.com",
"DATE_PUBLIC": "2021-08-16T00:00:00",
"ID": "CVE-2020-4992",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "DataPower Gateway",
"version": {
"version_data": [
{
"version_value": "2018.4.1.0"
},
{
"version_value": "2018.4.1.16"
}
]
}
}
]
},
"vendor_name": "IBM"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "IBM DataPower Gateway 2018.4.1.0 through 2018.4.1.16 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 192737."
}
]
},
"impact": {
"cvssv3": {
"BM": {
"A": "N",
"AC": "L",
"AV": "N",
"C": "N",
"I": "L",
"PR": "N",
"S": "U",
"UI": "R"
},
"TM": {
"E": "U",
"RC": "C",
"RL": "O"
}
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Gain Access"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.ibm.com/support/pages/node/6481679",
"refsource": "CONFIRM",
"title": "IBM Security Bulletin 6481679 (DataPower Gateway)",
"url": "https://www.ibm.com/support/pages/node/6481679"
},
{
"name": "ibm-datapower-cve20204992-csrf (192737)",
"refsource": "XF",
"title": "X-Force Vulnerability Report",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/192737"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2020-4992",
"datePublished": "2021-08-17T13:55:13.982Z",
"dateReserved": "2019-12-30T00:00:00.000Z",
"dateUpdated": "2024-09-16T19:09:58.965Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5008 (GCVE-0-2020-5008)
Vulnerability from nvd – Published: 2021-06-07 14:05 – Updated: 2024-09-16 20:48
VLAI?
Summary
IBM DataPower Gateway 10.0.0.0 through 10.0.1.0 and 2018.4.1.0 through 2018.4.1.14 stores sensitive information in GET request parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 193033.
Severity ?
CWE
- Obtain Information
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | DataPower Gateway |
Affected:
2018.4.1.0
Affected: 10.0.0.0 Affected: 10.0.1.0 Affected: 2018.4.1.14 |
Date Public ?
2021-06-04 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:22:08.510Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.ibm.com/support/pages/node/6459681"
},
{
"name": "ibm-datapower-cve20205008-info-disc (193033)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/193033"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "DataPower Gateway",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "2018.4.1.0"
},
{
"status": "affected",
"version": "10.0.0.0"
},
{
"status": "affected",
"version": "10.0.1.0"
},
{
"status": "affected",
"version": "2018.4.1.14"
}
]
}
],
"datePublic": "2021-06-04T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "IBM DataPower Gateway 10.0.0.0 through 10.0.1.0 and 2018.4.1.0 through 2018.4.1.14 stores sensitive information in GET request parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 193033."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"exploitCodeMaturity": "UNPROVEN",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"remediationLevel": "OFFICIAL_FIX",
"reportConfidence": "CONFIRMED",
"scope": "UNCHANGED",
"temporalScore": 3.2,
"temporalSeverity": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/C:L/I:N/UI:N/A:N/S:U/AC:H/PR:N/AV:N/E:U/RL:O/RC:C",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Obtain Information",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-07T14:05:13.000Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.ibm.com/support/pages/node/6459681"
},
{
"name": "ibm-datapower-cve20205008-info-disc (193033)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/193033"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@us.ibm.com",
"DATE_PUBLIC": "2021-06-04T00:00:00",
"ID": "CVE-2020-5008",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "DataPower Gateway",
"version": {
"version_data": [
{
"version_value": "2018.4.1.0"
},
{
"version_value": "10.0.0.0"
},
{
"version_value": "10.0.1.0"
},
{
"version_value": "2018.4.1.14"
}
]
}
}
]
},
"vendor_name": "IBM"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "IBM DataPower Gateway 10.0.0.0 through 10.0.1.0 and 2018.4.1.0 through 2018.4.1.14 stores sensitive information in GET request parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 193033."
}
]
},
"impact": {
"cvssv3": {
"BM": {
"A": "N",
"AC": "H",
"AV": "N",
"C": "L",
"I": "N",
"PR": "N",
"S": "U",
"UI": "N"
},
"TM": {
"E": "U",
"RC": "C",
"RL": "O"
}
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Obtain Information"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.ibm.com/support/pages/node/6459681",
"refsource": "CONFIRM",
"title": "IBM Security Bulletin 6459681 (DataPower Gateway)",
"url": "https://www.ibm.com/support/pages/node/6459681"
},
{
"name": "ibm-datapower-cve20205008-info-disc (193033)",
"refsource": "XF",
"title": "X-Force Vulnerability Report",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/193033"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2020-5008",
"datePublished": "2021-06-07T14:05:13.638Z",
"dateReserved": "2019-12-30T00:00:00.000Z",
"dateUpdated": "2024-09-16T20:48:16.900Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-36375 (GCVE-0-2025-36375)
Vulnerability from cvelistv5 – Published: 2026-04-01 22:50 – Updated: 2026-04-03 13:56
VLAI?
Title
IBM DataPower Gateway vulnerable to CSRF
Summary
IBM DataPower Gateway 10.6CD 10.6.1.0 through 10.6.5.0 and IBM DataPower Gateway 10.5.0 10.5.0.0 through 10.5.0.20 and IBM DataPower Gateway 10.6.0 10.6.0.0 through 10.6.0.8 IBM DataPower Gateway is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.
Severity ?
6.5 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| IBM | DataPower Gateway 10.6CD |
Affected:
10.6.1.0 , ≤ 10.6.5.0
(semver)
cpe:2.3:a:ibm:datapower_gateway_106cd:10.6.1.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:datapower_gateway_106cd:10.6.5.0:*:*:*:*:*:*:* |
||||||||||||
|
||||||||||||||
Credits
Acknowledgement This vulnerability was reported to IBM by Maciej Włodarczyk & Michał Bartoszuk @ STM Cyber.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36375",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-03T13:45:08.878992Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T13:56:04.937Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:datapower_gateway_106cd:10.6.1.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:datapower_gateway_106cd:10.6.5.0:*:*:*:*:*:*:*"
],
"product": "DataPower Gateway 10.6CD",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "10.6.5.0",
"status": "affected",
"version": "10.6.1.0",
"versionType": "semver"
}
]
},
{
"cpes": [
"cpe:2.3:a:ibm:datapower_gateway_1050:10.5.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:datapower_gateway_1050:10.5.0.20:*:*:*:*:*:*:*"
],
"product": "DataPower Gateway 10.5.0",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "10.5.0.20",
"status": "affected",
"version": "10.5.0.0",
"versionType": "semver"
}
]
},
{
"cpes": [
"cpe:2.3:a:ibm:datapower_gateway_1060:10.6.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:datapower_gateway_1060:10.6.0.8:*:*:*:*:*:*:*"
],
"product": "DataPower Gateway 10.6.0",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "10.6.0.8",
"status": "affected",
"version": "10.6.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Acknowledgement This vulnerability was reported to IBM by Maciej W\u0142odarczyk \u0026 Micha\u0142 Bartoszuk @ STM Cyber."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM DataPower Gateway 10.6CD 10.6.1.0 through 10.6.5.0 and IBM DataPower Gateway 10.5.0 10.5.0.0 through 10.5.0.20 and IBM DataPower Gateway 10.6.0 10.6.0.0 through 10.6.0.8 IBM DataPower Gateway is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.\u003c/p\u003e"
}
],
"value": "IBM DataPower Gateway 10.6CD 10.6.1.0 through 10.6.5.0 and IBM DataPower Gateway 10.5.0 10.5.0.0 through 10.5.0.20 and IBM DataPower Gateway 10.6.0 10.6.0.0 through 10.6.0.8 IBM DataPower Gateway is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T22:50:51.697Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7268034"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cbr\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eAffected Product(s)\u003c/td\u003e\u003ctd\u003eFixed in Version\u003c/td\u003e\u003ctd\u003eFix link\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM DataPower Gateway 10.6CD 10.6.1.0 - 10.6.5.0\u003c/td\u003e\u003ctd\u003e10.6.6.0\u003c/td\u003e\u003ctd\u003e\u003ca href=\"https://www.ibm.com/docs/en/datapower-gateway/10.6.x?topic=overview-release-notes#relnotes__install__title__1\" rel=\"nofollow\"\u003eInstallation and Upgrade 10.6.x\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM DataPower Gateway 10.6.0\u0026nbsp; 10.6.0.0 - 10.6.0.8\u003c/td\u003e\u003ctd\u003e10.6.0.9\u003c/td\u003e\u003ctd\u003e\u003ca href=\"https://www.ibm.com/docs/en/datapower-gateway/10.6.0?topic=overview-release-notes#relnotes__install__title__1\" rel=\"nofollow\"\u003eInstallation and Upgrade 10.6.0\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM DataPower Gateway 10.5.0\u0026nbsp; 10.5.0.0 - 10.5.0.20\u003c/td\u003e\u003ctd\u003e10.5.0.21\u003c/td\u003e\u003ctd\u003e\u003ca href=\"https://www.ibm.com/docs/en/datapower-gateway/10.5.0?topic=overview-release-notes#relnotes__install__title__1\" rel=\"nofollow\"\u003eInstallation and Upgrade 10.5.0\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003c/div\u003e\u003cp\u003eIBM strongly recommends upgrading to a fixed version\u003c/p\u003e"
}
],
"value": "Affected Product(s)Fixed in VersionFix linkIBM DataPower Gateway 10.6CD 10.6.1.0 - 10.6.5.010.6.6.0 Installation and Upgrade 10.6.x https://www.ibm.com/docs/en/datapower-gateway/10.6.x IBM DataPower Gateway 10.6.0\u00a0 10.6.0.0 - 10.6.0.810.6.0.9 Installation and Upgrade 10.6.0 https://www.ibm.com/docs/en/datapower-gateway/10.6.0 IBM DataPower Gateway 10.5.0\u00a0 10.5.0.0 - 10.5.0.2010.5.0.21 Installation and Upgrade 10.5.0 https://www.ibm.com/docs/en/datapower-gateway/10.5.0 \n\nIBM strongly recommends upgrading to a fixed version"
}
],
"title": "IBM DataPower Gateway vulnerable to CSRF",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36375",
"datePublished": "2026-04-01T22:50:51.697Z",
"dateReserved": "2025-04-15T21:16:56.325Z",
"dateUpdated": "2026-04-03T13:56:04.937Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-36373 (GCVE-0-2025-36373)
Vulnerability from cvelistv5 – Published: 2026-04-01 20:47 – Updated: 2026-04-02 15:49
VLAI?
Title
Incorrect administrative access control in IBM DataPower Gateway
Summary
IBM DataPower Gateway 10.6CD 10.6.1.0 through 10.6.5.0 and IBM DataPower Gateway 10.5.0 10.5.0.0 through 10.5.0.20 and IBM DataPower Gateway 10.6.0 10.6.0.0 through 10.6.0.8 IBM DataPower Gateway could disclose sensitive system information from other domains to an administrative user.
Severity ?
4.1 (Medium)
CWE
- CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| IBM | DataPower Gateway 10.6CD |
Affected:
10.6.1.0 , ≤ 10.6.5.0
(semver)
cpe:2.3:a:ibm:datapower_gateway_106cd:10.6.1.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:datapower_gateway_106cd:10.6.5.0:*:*:*:*:*:*:* |
||||||||||||
|
||||||||||||||
Credits
Acknowledgement This vulnerability was reported to IBM by Michał Bartoszuk & Maciej Włodarczyk @ STM Cyber.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36373",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-02T15:48:55.294586Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T15:49:19.578Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:datapower_gateway_106cd:10.6.1.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:datapower_gateway_106cd:10.6.5.0:*:*:*:*:*:*:*"
],
"product": "DataPower Gateway 10.6CD",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "10.6.5.0",
"status": "affected",
"version": "10.6.1.0",
"versionType": "semver"
}
]
},
{
"cpes": [
"cpe:2.3:a:ibm:datapower_gateway_1050:10.5.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:datapower_gateway_1050:10.5.0.20:*:*:*:*:*:*:*"
],
"product": "DataPower Gateway 10.5.0",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "10.5.0.20",
"status": "affected",
"version": "10.5.0.0",
"versionType": "semver"
}
]
},
{
"cpes": [
"cpe:2.3:a:ibm:datapower_gateway_1060:10.6.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:datapower_gateway_1060:10.6.0.8:*:*:*:*:*:*:*"
],
"product": "DataPower Gateway 10.6.0",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "10.6.0.8",
"status": "affected",
"version": "10.6.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Acknowledgement This vulnerability was reported to IBM by Micha\u0142 Bartoszuk \u0026 Maciej W\u0142odarczyk @ STM Cyber."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM DataPower Gateway 10.6CD 10.6.1.0 through 10.6.5.0 and IBM DataPower Gateway 10.5.0 10.5.0.0 through 10.5.0.20 and IBM DataPower Gateway 10.6.0 10.6.0.0 through 10.6.0.8 IBM DataPower Gateway could disclose sensitive system information from other domains to an administrative user.\u003c/p\u003e"
}
],
"value": "IBM DataPower Gateway 10.6CD 10.6.1.0 through 10.6.5.0 and IBM DataPower Gateway 10.5.0 10.5.0.0 through 10.5.0.20 and IBM DataPower Gateway 10.6.0 10.6.0.0 through 10.6.0.8 IBM DataPower Gateway could disclose sensitive system information from other domains to an administrative user."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-497",
"description": "CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T20:49:32.409Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7267833"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eAffected Product(s)\u003c/td\u003e\u003ctd\u003eFixed in version\u003c/td\u003e\u003ctd\u003eFix list\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM DataPower Gateway 10.6CD 10.6.1.0 - 10.6.5.0\u003c/td\u003e\u003ctd\u003e10.6.6.0\u003c/td\u003e\u003ctd\u003e\u003ca href=\"https://www.ibm.com/docs/en/datapower-gateway/10.6.x?topic=overview-release-notes#relnotes__install__title__1\" rel=\"nofollow\"\u003eInstallation and Upgrade 10.6.x\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM DataPower Gateway 10.5.0.0 - 10.5.0.20\u003c/td\u003e\u003ctd\u003e10.5.0.21\u003c/td\u003e\u003ctd\u003e\u003ca href=\"https://www.ibm.com/docs/en/datapower-gateway/10.5.0?topic=overview-release-notes#relnotes__install__title__1\" rel=\"nofollow\"\u003eInstallation and Upgrade 10.5.0\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM DataPower Gateway 10.6.0.0 - 10.6.0.8\u003c/td\u003e\u003ctd\u003e10.6.0.9\u003c/td\u003e\u003ctd\u003e\u003ca href=\"https://www.ibm.com/docs/en/datapower-gateway/10.6.0?topic=overview-release-notes#relnotes__install__title__1\" rel=\"nofollow\"\u003eInstallation and Upgrade 10.6.0\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003c/div\u003e\u003cp\u003e\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Affected Product(s)Fixed in versionFix listIBM DataPower Gateway 10.6CD 10.6.1.0 - 10.6.5.010.6.6.0 Installation and Upgrade 10.6.x https://www.ibm.com/docs/en/datapower-gateway/10.6.x IBM DataPower Gateway 10.5.0.0 - 10.5.0.2010.5.0.21 Installation and Upgrade 10.5.0 https://www.ibm.com/docs/en/datapower-gateway/10.5.0 IBM DataPower Gateway 10.6.0.0 - 10.6.0.810.6.0.9 Installation and Upgrade 10.6.0 https://www.ibm.com/docs/en/datapower-gateway/10.6.0"
}
],
"title": "Incorrect administrative access control in IBM DataPower Gateway",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36373",
"datePublished": "2026-04-01T20:47:46.485Z",
"dateReserved": "2025-04-15T21:16:56.325Z",
"dateUpdated": "2026-04-02T15:49:19.578Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-40228 (GCVE-0-2022-40228)
Vulnerability from cvelistv5 – Published: 2022-11-22 18:52 – Updated: 2025-04-25 19:56
VLAI?
Title
IBM DataPower Gateway session fixation
Summary
IBM DataPower Gateway 10.0.3.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.9, 2018.4.1.0 through 2018.4.1.22, and 10.5.0.0 through 10.5.0.2 does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 235527.
Severity ?
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | DataPower Gateway |
Affected:
10.0.3.0 , < 10.0.4.0
(semver)
Affected: 10.0.1.0 , < 10.0.1.9 (semver) Affected: 2018.4.1.0 , < 2018.4.1.22 (semver) Affected: 10.5.0.0 , < 10.5.0.2 (semver) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:14:39.962Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.ibm.com/support/pages/node/6840759"
},
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/235527"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-40228",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-25T19:56:47.775668Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-25T19:56:58.200Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "DataPower Gateway",
"vendor": "IBM",
"versions": [
{
"lessThan": "10.0.4.0",
"status": "affected",
"version": "10.0.3.0",
"versionType": "semver"
},
{
"lessThan": "10.0.1.9",
"status": "affected",
"version": "10.0.1.0",
"versionType": "semver"
},
{
"lessThan": "2018.4.1.22",
"status": "affected",
"version": "2018.4.1.0",
"versionType": "semver"
},
{
"lessThan": "10.5.0.2",
"status": "affected",
"version": "10.5.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(204, 217, 226);\"\u003e\n\n\u003cspan style=\"background-color: rgb(204, 217, 226);\"\u003eIBM DataPower Gateway 10.0.3.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.9, 2018.4.1.0 through 2018.4.1.22, and 10.5.0.0 through 10.5.0.2 does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 235527.\u003c/span\u003e\n\n\u003c/span\u003e"
}
],
"value": "\n\n\nIBM DataPower Gateway 10.0.3.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.9, 2018.4.1.0 through 2018.4.1.22, and 10.5.0.0 through 10.5.0.2 does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 235527.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-22T18:52:13.196Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.ibm.com/support/pages/node/6840759"
},
{
"tags": [
"vdb-entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/235527"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM DataPower Gateway session fixation",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2022-40228",
"datePublished": "2022-11-22T18:52:13.196Z",
"dateReserved": "2022-09-08T15:59:19.267Z",
"dateUpdated": "2025-04-25T19:56:58.200Z",
"requesterUserId": "69938c14-a5a2-41ac-a450-71ed41911136",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-31773 (GCVE-0-2022-31773)
Vulnerability from cvelistv5 – Published: 2022-08-26 17:25 – Updated: 2024-09-16 18:50
VLAI?
Summary
IBM DataPower Gateway V10CD, 10.0.1, and 2018.4.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 228357.
Severity ?
CWE
- Gain Access
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | DataPower Gateway |
Affected:
2018.4.1.0
Affected: 10.0.1.0 Affected: 10.0.2.0 Affected: 10.0.4.0 Affected: 2018.4.1.21 Affected: 10.0.1.8 |
Date Public ?
2022-08-25 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:26:01.099Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.ibm.com/support/pages/node/6615307"
},
{
"name": "ibm-datapower-cve202231773-csrf (228357)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/228357"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "DataPower Gateway",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "2018.4.1.0"
},
{
"status": "affected",
"version": "10.0.1.0"
},
{
"status": "affected",
"version": "10.0.2.0"
},
{
"status": "affected",
"version": "10.0.4.0"
},
{
"status": "affected",
"version": "2018.4.1.21"
},
{
"status": "affected",
"version": "10.0.1.8"
}
]
}
],
"datePublic": "2022-08-25T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "IBM DataPower Gateway V10CD, 10.0.1, and 2018.4.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 228357."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitCodeMaturity": "UNPROVEN",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"remediationLevel": "OFFICIAL_FIX",
"reportConfidence": "CONFIRMED",
"scope": "UNCHANGED",
"temporalScore": 7.7,
"temporalSeverity": "HIGH",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/C:H/A:H/S:U/UI:R/I:H/AC:L/PR:N/AV:N/RC:C/E:U/RL:O",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Gain Access",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-26T17:25:12.000Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.ibm.com/support/pages/node/6615307"
},
{
"name": "ibm-datapower-cve202231773-csrf (228357)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/228357"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@us.ibm.com",
"DATE_PUBLIC": "2022-08-25T00:00:00",
"ID": "CVE-2022-31773",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "DataPower Gateway",
"version": {
"version_data": [
{
"version_value": "2018.4.1.0"
},
{
"version_value": "10.0.1.0"
},
{
"version_value": "10.0.2.0"
},
{
"version_value": "10.0.4.0"
},
{
"version_value": "2018.4.1.21"
},
{
"version_value": "10.0.1.8"
}
]
}
}
]
},
"vendor_name": "IBM"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "IBM DataPower Gateway V10CD, 10.0.1, and 2018.4.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 228357."
}
]
},
"impact": {
"cvssv3": {
"BM": {
"A": "H",
"AC": "L",
"AV": "N",
"C": "H",
"I": "H",
"PR": "N",
"S": "U",
"UI": "R"
},
"TM": {
"E": "U",
"RC": "C",
"RL": "O"
}
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Gain Access"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.ibm.com/support/pages/node/6615307",
"refsource": "CONFIRM",
"title": "IBM Security Bulletin 6615307 (DataPower Gateway)",
"url": "https://www.ibm.com/support/pages/node/6615307"
},
{
"name": "ibm-datapower-cve202231773-csrf (228357)",
"refsource": "XF",
"title": "X-Force Vulnerability Report",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/228357"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2022-31773",
"datePublished": "2022-08-26T17:25:12.579Z",
"dateReserved": "2022-05-27T00:00:00.000Z",
"dateUpdated": "2024-09-16T18:50:13.645Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-32750 (GCVE-0-2022-32750)
Vulnerability from cvelistv5 – Published: 2022-07-31 16:07 – Updated: 2024-09-16 16:23
VLAI?
Summary
IBM DataPower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.8, 10.5.0.0, and 2018.4.1.0 through 2018.4.1.21 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 228435.
Severity ?
CWE
- Cross-Site Scripting
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | DataPower Gateway |
Affected:
2018.4.1.0
Affected: 10.0.1.0 Affected: 10.0.2.0 Affected: 10.0.4.0 Affected: 2018.4.1.21 Affected: 10.1.0.8 Affected: 10.5.0.0 |
Date Public ?
2022-07-29 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:46:45.386Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.ibm.com/support/pages/node/6608600"
},
{
"name": "ibm-datapower-cve202232750-xss (228435)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/228435"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "DataPower Gateway",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "2018.4.1.0"
},
{
"status": "affected",
"version": "10.0.1.0"
},
{
"status": "affected",
"version": "10.0.2.0"
},
{
"status": "affected",
"version": "10.0.4.0"
},
{
"status": "affected",
"version": "2018.4.1.21"
},
{
"status": "affected",
"version": "10.1.0.8"
},
{
"status": "affected",
"version": "10.5.0.0"
}
]
}
],
"datePublic": "2022-07-29T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "IBM DataPower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.8, 10.5.0.0, and 2018.4.1.0 through 2018.4.1.21 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 228435."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitCodeMaturity": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"remediationLevel": "OFFICIAL_FIX",
"reportConfidence": "CONFIRMED",
"scope": "CHANGED",
"temporalScore": 5.2,
"temporalSeverity": "MEDIUM",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/PR:L/UI:R/C:L/AV:N/I:L/AC:L/S:C/A:N/E:H/RL:O/RC:C",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-31T16:07:48.000Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.ibm.com/support/pages/node/6608600"
},
{
"name": "ibm-datapower-cve202232750-xss (228435)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/228435"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@us.ibm.com",
"DATE_PUBLIC": "2022-07-29T00:00:00",
"ID": "CVE-2022-32750",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "DataPower Gateway",
"version": {
"version_data": [
{
"version_value": "2018.4.1.0"
},
{
"version_value": "10.0.1.0"
},
{
"version_value": "10.0.2.0"
},
{
"version_value": "10.0.4.0"
},
{
"version_value": "2018.4.1.21"
},
{
"version_value": "10.1.0.8"
},
{
"version_value": "10.5.0.0"
}
]
}
}
]
},
"vendor_name": "IBM"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "IBM DataPower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.8, 10.5.0.0, and 2018.4.1.0 through 2018.4.1.21 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 228435."
}
]
},
"impact": {
"cvssv3": {
"BM": {
"A": "N",
"AC": "L",
"AV": "N",
"C": "L",
"I": "L",
"PR": "L",
"S": "C",
"UI": "R"
},
"TM": {
"E": "H",
"RC": "C",
"RL": "O"
}
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.ibm.com/support/pages/node/6608600",
"refsource": "CONFIRM",
"title": "IBM Security Bulletin 6608600 (DataPower Gateway)",
"url": "https://www.ibm.com/support/pages/node/6608600"
},
{
"name": "ibm-datapower-cve202232750-xss (228435)",
"refsource": "XF",
"title": "X-Force Vulnerability Report",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/228435"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2022-32750",
"datePublished": "2022-07-31T16:07:48.901Z",
"dateReserved": "2022-06-09T00:00:00.000Z",
"dateUpdated": "2024-09-16T16:23:00.448Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-31776 (GCVE-0-2022-31776)
Vulnerability from cvelistv5 – Published: 2022-07-31 16:07 – Updated: 2024-09-17 04:20
VLAI?
Summary
IBM DataPower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.8, 10.5.0.0, and 2018.4.1.0 through 2018.4.1.21 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 228433.
Severity ?
CWE
- Gain Access
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | DataPower Gateway |
Affected:
2018.4.1.0
Affected: 10.0.1.0 Affected: 10.0.2.0 Affected: 10.0.4.0 Affected: 2018.4.1.21 Affected: 10.1.0.8 Affected: 10.5.0.0 |
Date Public ?
2022-07-29 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:26:01.231Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.ibm.com/support/pages/node/6608604"
},
{
"name": "ibm-datapower-cve202231776-ssrf (228433)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/228433"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "DataPower Gateway",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "2018.4.1.0"
},
{
"status": "affected",
"version": "10.0.1.0"
},
{
"status": "affected",
"version": "10.0.2.0"
},
{
"status": "affected",
"version": "10.0.4.0"
},
{
"status": "affected",
"version": "2018.4.1.21"
},
{
"status": "affected",
"version": "10.1.0.8"
},
{
"status": "affected",
"version": "10.5.0.0"
}
]
}
],
"datePublic": "2022-07-29T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "IBM DataPower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.8, 10.5.0.0, and 2018.4.1.0 through 2018.4.1.21 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 228433."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitCodeMaturity": "UNPROVEN",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"remediationLevel": "OFFICIAL_FIX",
"reportConfidence": "CONFIRMED",
"scope": "UNCHANGED",
"temporalScore": 5.7,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/UI:N/I:L/C:L/AV:N/PR:N/A:N/AC:L/S:U/RC:C/E:U/RL:O",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Gain Access",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-31T16:07:12.000Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.ibm.com/support/pages/node/6608604"
},
{
"name": "ibm-datapower-cve202231776-ssrf (228433)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/228433"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@us.ibm.com",
"DATE_PUBLIC": "2022-07-29T00:00:00",
"ID": "CVE-2022-31776",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "DataPower Gateway",
"version": {
"version_data": [
{
"version_value": "2018.4.1.0"
},
{
"version_value": "10.0.1.0"
},
{
"version_value": "10.0.2.0"
},
{
"version_value": "10.0.4.0"
},
{
"version_value": "2018.4.1.21"
},
{
"version_value": "10.1.0.8"
},
{
"version_value": "10.5.0.0"
}
]
}
}
]
},
"vendor_name": "IBM"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "IBM DataPower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.8, 10.5.0.0, and 2018.4.1.0 through 2018.4.1.21 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 228433."
}
]
},
"impact": {
"cvssv3": {
"BM": {
"A": "N",
"AC": "L",
"AV": "N",
"C": "L",
"I": "L",
"PR": "N",
"S": "U",
"UI": "N"
},
"TM": {
"E": "U",
"RC": "C",
"RL": "O"
}
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Gain Access"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.ibm.com/support/pages/node/6608604",
"refsource": "CONFIRM",
"title": "IBM Security Bulletin 6608604 (DataPower Gateway)",
"url": "https://www.ibm.com/support/pages/node/6608604"
},
{
"name": "ibm-datapower-cve202231776-ssrf (228433)",
"refsource": "XF",
"title": "X-Force Vulnerability Report",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/228433"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2022-31776",
"datePublished": "2022-07-31T16:07:13.000Z",
"dateReserved": "2022-05-27T00:00:00.000Z",
"dateUpdated": "2024-09-17T04:20:23.455Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-31775 (GCVE-0-2022-31775)
Vulnerability from cvelistv5 – Published: 2022-07-31 16:06 – Updated: 2024-09-16 19:46
VLAI?
Summary
IBM DataPower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.8, 10.5.0.0, and 2018.4.1.0 through 2018.4.1.21 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 228359.
Severity ?
CWE
- Denial of Service
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | DataPower Gateway |
Affected:
2018.4.1.0
Affected: 10.0.1.0 Affected: 10.0.2.0 Affected: 10.0.4.0 Affected: 10.5.0.0 Affected: 2018.4.1.20 Affected: 10.1.0.7 |
Date Public ?
2022-07-29 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:26:01.083Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.ibm.com/support/pages/node/6608608"
},
{
"name": "ibm-datapower-cve202231775-xxe (228359)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/228359"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "DataPower Gateway",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "2018.4.1.0"
},
{
"status": "affected",
"version": "10.0.1.0"
},
{
"status": "affected",
"version": "10.0.2.0"
},
{
"status": "affected",
"version": "10.0.4.0"
},
{
"status": "affected",
"version": "10.5.0.0"
},
{
"status": "affected",
"version": "2018.4.1.20"
},
{
"status": "affected",
"version": "10.1.0.7"
}
]
}
],
"datePublic": "2022-07-29T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "IBM DataPower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.8, 10.5.0.0, and 2018.4.1.0 through 2018.4.1.21 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 228359."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitCodeMaturity": "UNPROVEN",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"remediationLevel": "OFFICIAL_FIX",
"reportConfidence": "CONFIRMED",
"scope": "UNCHANGED",
"temporalScore": 4.8,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AC:L/S:U/A:H/PR:H/UI:N/I:N/AV:N/C:L/E:U/RL:O/RC:C",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Denial of Service",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-31T16:06:37.000Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.ibm.com/support/pages/node/6608608"
},
{
"name": "ibm-datapower-cve202231775-xxe (228359)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/228359"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@us.ibm.com",
"DATE_PUBLIC": "2022-07-29T00:00:00",
"ID": "CVE-2022-31775",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "DataPower Gateway",
"version": {
"version_data": [
{
"version_value": "2018.4.1.0"
},
{
"version_value": "10.0.1.0"
},
{
"version_value": "10.0.2.0"
},
{
"version_value": "10.0.4.0"
},
{
"version_value": "10.5.0.0"
},
{
"version_value": "2018.4.1.20"
},
{
"version_value": "10.1.0.7"
}
]
}
}
]
},
"vendor_name": "IBM"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "IBM DataPower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.8, 10.5.0.0, and 2018.4.1.0 through 2018.4.1.21 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 228359."
}
]
},
"impact": {
"cvssv3": {
"BM": {
"A": "H",
"AC": "L",
"AV": "N",
"C": "L",
"I": "N",
"PR": "H",
"S": "U",
"UI": "N"
},
"TM": {
"E": "U",
"RC": "C",
"RL": "O"
}
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.ibm.com/support/pages/node/6608608",
"refsource": "CONFIRM",
"title": "IBM Security Bulletin 6608608 (DataPower Gateway)",
"url": "https://www.ibm.com/support/pages/node/6608608"
},
{
"name": "ibm-datapower-cve202231775-xxe (228359)",
"refsource": "XF",
"title": "X-Force Vulnerability Report",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/228359"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2022-31775",
"datePublished": "2022-07-31T16:06:37.375Z",
"dateReserved": "2022-05-27T00:00:00.000Z",
"dateUpdated": "2024-09-16T19:46:54.483Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-31774 (GCVE-0-2022-31774)
Vulnerability from cvelistv5 – Published: 2022-07-31 16:05 – Updated: 2024-09-16 20:16
VLAI?
Summary
IBM DataPower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.8, 10.5.0.0, and 2018.4.1.0 through 2018.4.1.21 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 228358.
Severity ?
CWE
- Cross-Site Scripting
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | DataPower Gateway |
Affected:
2018.4.1.0
Affected: 10.0.1.0 Affected: 10.0.2.0 Affected: 10.0.4.0 Affected: 2018.4.1.21 Affected: 10.1.0.8 Affected: 10.5.0.0 |
Date Public ?
2022-07-29 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:26:01.284Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.ibm.com/support/pages/node/6608600"
},
{
"name": "ibm-datapower-cve202231774-xss (228358)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/228358"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "DataPower Gateway",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "2018.4.1.0"
},
{
"status": "affected",
"version": "10.0.1.0"
},
{
"status": "affected",
"version": "10.0.2.0"
},
{
"status": "affected",
"version": "10.0.4.0"
},
{
"status": "affected",
"version": "2018.4.1.21"
},
{
"status": "affected",
"version": "10.1.0.8"
},
{
"status": "affected",
"version": "10.5.0.0"
}
]
}
],
"datePublic": "2022-07-29T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "IBM DataPower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.8, 10.5.0.0, and 2018.4.1.0 through 2018.4.1.21 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 228358."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitCodeMaturity": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"remediationLevel": "OFFICIAL_FIX",
"reportConfidence": "CONFIRMED",
"scope": "CHANGED",
"temporalScore": 5.2,
"temporalSeverity": "MEDIUM",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/A:N/AC:L/S:C/UI:R/C:L/AV:N/I:L/PR:L/RC:C/RL:O/E:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-31T16:05:55.000Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.ibm.com/support/pages/node/6608600"
},
{
"name": "ibm-datapower-cve202231774-xss (228358)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/228358"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@us.ibm.com",
"DATE_PUBLIC": "2022-07-29T00:00:00",
"ID": "CVE-2022-31774",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "DataPower Gateway",
"version": {
"version_data": [
{
"version_value": "2018.4.1.0"
},
{
"version_value": "10.0.1.0"
},
{
"version_value": "10.0.2.0"
},
{
"version_value": "10.0.4.0"
},
{
"version_value": "2018.4.1.21"
},
{
"version_value": "10.1.0.8"
},
{
"version_value": "10.5.0.0"
}
]
}
}
]
},
"vendor_name": "IBM"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "IBM DataPower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.8, 10.5.0.0, and 2018.4.1.0 through 2018.4.1.21 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 228358."
}
]
},
"impact": {
"cvssv3": {
"BM": {
"A": "N",
"AC": "L",
"AV": "N",
"C": "L",
"I": "L",
"PR": "L",
"S": "C",
"UI": "R"
},
"TM": {
"E": "H",
"RC": "C",
"RL": "O"
}
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.ibm.com/support/pages/node/6608600",
"refsource": "CONFIRM",
"title": "IBM Security Bulletin 6608600 (DataPower Gateway)",
"url": "https://www.ibm.com/support/pages/node/6608600"
},
{
"name": "ibm-datapower-cve202231774-xss (228358)",
"refsource": "XF",
"title": "X-Force Vulnerability Report",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/228358"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2022-31774",
"datePublished": "2022-07-31T16:05:55.923Z",
"dateReserved": "2022-05-27T00:00:00.000Z",
"dateUpdated": "2024-09-16T20:16:42.239Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-22326 (GCVE-0-2022-22326)
Vulnerability from cvelistv5 – Published: 2022-07-31 16:05 – Updated: 2024-09-16 18:03
VLAI?
Summary
IBM Datapower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.5, and 2018.4.1.0 through 2018.4.1.18 could allow unauthorized viewing of logs and files due to insufficient authorization checks. IBM X-Force ID: 218856.
Severity ?
CWE
- Obtain Information
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | DataPower Gateway |
Affected:
2018.4.1.0
Affected: 10.0.1.0 Affected: 10.0.2.0 Affected: 10.0.4.0 Affected: 2018.4.1.18 Affected: 10.1.0.5 |
Date Public ?
2022-07-29 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:07:50.310Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.ibm.com/support/pages/node/6560048"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.ibm.com/support/pages/node/6608598"
},
{
"name": "ibm-mq-cve202222326-info-disc (218856)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/218856"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "DataPower Gateway",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "2018.4.1.0"
},
{
"status": "affected",
"version": "10.0.1.0"
},
{
"status": "affected",
"version": "10.0.2.0"
},
{
"status": "affected",
"version": "10.0.4.0"
},
{
"status": "affected",
"version": "2018.4.1.18"
},
{
"status": "affected",
"version": "10.1.0.5"
}
]
}
],
"datePublic": "2022-07-29T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "IBM Datapower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.5, and 2018.4.1.0 through 2018.4.1.18 could allow unauthorized viewing of logs and files due to insufficient authorization checks. IBM X-Force ID: 218856."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitCodeMaturity": "UNPROVEN",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"remediationLevel": "OFFICIAL_FIX",
"reportConfidence": "CONFIRMED",
"scope": "UNCHANGED",
"temporalScore": 3.5,
"temporalSeverity": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/A:N/S:U/AC:L/I:N/C:L/AV:L/UI:N/PR:N/E:U/RL:O/RC:C",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Obtain Information",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-31T16:05:24.000Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.ibm.com/support/pages/node/6560048"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.ibm.com/support/pages/node/6608598"
},
{
"name": "ibm-mq-cve202222326-info-disc (218856)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/218856"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@us.ibm.com",
"DATE_PUBLIC": "2022-07-29T00:00:00",
"ID": "CVE-2022-22326",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "DataPower Gateway",
"version": {
"version_data": [
{
"version_value": "2018.4.1.0"
},
{
"version_value": "10.0.1.0"
},
{
"version_value": "10.0.2.0"
},
{
"version_value": "10.0.4.0"
},
{
"version_value": "2018.4.1.18"
},
{
"version_value": "10.1.0.5"
}
]
}
}
]
},
"vendor_name": "IBM"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "IBM Datapower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.5, and 2018.4.1.0 through 2018.4.1.18 could allow unauthorized viewing of logs and files due to insufficient authorization checks. IBM X-Force ID: 218856."
}
]
},
"impact": {
"cvssv3": {
"BM": {
"A": "N",
"AC": "L",
"AV": "L",
"C": "L",
"I": "N",
"PR": "N",
"S": "U",
"UI": "N"
},
"TM": {
"E": "U",
"RC": "C",
"RL": "O"
}
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Obtain Information"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.ibm.com/support/pages/node/6560048",
"refsource": "CONFIRM",
"title": "IBM Security Bulletin 6560048 (MQ Appliance)",
"url": "https://www.ibm.com/support/pages/node/6560048"
},
{
"name": "https://www.ibm.com/support/pages/node/6608598",
"refsource": "CONFIRM",
"title": "IBM Security Bulletin 6608598 (DataPower Gateway)",
"url": "https://www.ibm.com/support/pages/node/6608598"
},
{
"name": "ibm-mq-cve202222326-info-disc (218856)",
"refsource": "XF",
"title": "X-Force Vulnerability Report",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/218856"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2022-22326",
"datePublished": "2022-07-31T16:05:25.070Z",
"dateReserved": "2022-01-03T00:00:00.000Z",
"dateUpdated": "2024-09-16T18:03:08.743Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-38944 (GCVE-0-2021-38944)
Vulnerability from cvelistv5 – Published: 2022-05-18 19:30 – Updated: 2024-09-16 22:10
VLAI?
Summary
IBM DataPower Gateway 10.0.2.0 through 1.0.3.0, 10.0.1.0 through 10.0.1.5, and 2018.4.1.0 through 2018.4.1.18 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM X-Force ID: 211236.
Severity ?
CWE
- Gain Access
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | DataPower Gateway |
Affected:
2018.4.1.0
Affected: 10.0.1.0 Affected: 10.0.2.0 Affected: 10.0.1.5 Affected: 10.0.3.0 Affected: 2018.4.1.18 |
Date Public ?
2022-05-17 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:51:20.786Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.ibm.com/support/pages/node/6587070"
},
{
"name": "ibm-datapower-cve202138944-header-injection (211236)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/211236"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "DataPower Gateway",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "2018.4.1.0"
},
{
"status": "affected",
"version": "10.0.1.0"
},
{
"status": "affected",
"version": "10.0.2.0"
},
{
"status": "affected",
"version": "10.0.1.5"
},
{
"status": "affected",
"version": "10.0.3.0"
},
{
"status": "affected",
"version": "2018.4.1.18"
}
]
}
],
"datePublic": "2022-05-17T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "IBM DataPower Gateway 10.0.2.0 through 1.0.3.0, 10.0.1.0 through 10.0.1.5, and 2018.4.1.0 through 2018.4.1.18 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM X-Force ID: 211236."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitCodeMaturity": "UNPROVEN",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"remediationLevel": "OFFICIAL_FIX",
"reportConfidence": "CONFIRMED",
"scope": "UNCHANGED",
"temporalScore": 4.2,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/C:L/A:N/I:L/UI:N/PR:N/S:U/AC:H/E:U/RC:C/RL:O",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Gain Access",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-18T19:30:12.000Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.ibm.com/support/pages/node/6587070"
},
{
"name": "ibm-datapower-cve202138944-header-injection (211236)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/211236"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@us.ibm.com",
"DATE_PUBLIC": "2022-05-17T00:00:00",
"ID": "CVE-2021-38944",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "DataPower Gateway",
"version": {
"version_data": [
{
"version_value": "2018.4.1.0"
},
{
"version_value": "10.0.1.0"
},
{
"version_value": "10.0.2.0"
},
{
"version_value": "10.0.1.5"
},
{
"version_value": "10.0.3.0"
},
{
"version_value": "2018.4.1.18"
}
]
}
}
]
},
"vendor_name": "IBM"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "IBM DataPower Gateway 10.0.2.0 through 1.0.3.0, 10.0.1.0 through 10.0.1.5, and 2018.4.1.0 through 2018.4.1.18 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM X-Force ID: 211236."
}
]
},
"impact": {
"cvssv3": {
"BM": {
"A": "N",
"AC": "H",
"AV": "N",
"C": "L",
"I": "L",
"PR": "N",
"S": "U",
"UI": "N"
},
"TM": {
"E": "U",
"RC": "C",
"RL": "O"
}
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Gain Access"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.ibm.com/support/pages/node/6587070",
"refsource": "CONFIRM",
"title": "IBM Security Bulletin 6587070 (DataPower Gateway)",
"url": "https://www.ibm.com/support/pages/node/6587070"
},
{
"name": "ibm-datapower-cve202138944-header-injection (211236)",
"refsource": "XF",
"title": "X-Force Vulnerability Report",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/211236"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2021-38944",
"datePublished": "2022-05-18T19:30:12.525Z",
"dateReserved": "2021-08-16T00:00:00.000Z",
"dateUpdated": "2024-09-16T22:10:33.765Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-38872 (GCVE-0-2021-38872)
Vulnerability from cvelistv5 – Published: 2022-05-17 16:25 – Updated: 2024-09-16 18:17
VLAI?
Summary
IBM DataPower Gateway 10.0.2.0, 10.0.3.0, 10.0.1.0 through 10.0.1.4, and 2018.4.1.0 through 2018.4.1.17 could allow a remote user to cause a denial of service by consuming resources with multiple requests. IBM X-Force ID: 208348.
Severity ?
CWE
- Denial of Service
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | DataPower Gateway |
Affected:
2018.4.1.0
Affected: 10.0.1.0 Affected: 10.0.1.4 Affected: 10.0.2.0 Affected: 10.0.3.0 Affected: 2018.4.1.17 |
Date Public ?
2022-05-16 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:51:20.273Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.ibm.com/support/pages/node/6586704"
},
{
"name": "ibm-datapower-cve202138872-dos (208348)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/208348"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "DataPower Gateway",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "2018.4.1.0"
},
{
"status": "affected",
"version": "10.0.1.0"
},
{
"status": "affected",
"version": "10.0.1.4"
},
{
"status": "affected",
"version": "10.0.2.0"
},
{
"status": "affected",
"version": "10.0.3.0"
},
{
"status": "affected",
"version": "2018.4.1.17"
}
]
}
],
"datePublic": "2022-05-16T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "IBM DataPower Gateway 10.0.2.0, 10.0.3.0, 10.0.1.0 through 10.0.1.4, and 2018.4.1.0 through 2018.4.1.17 could allow a remote user to cause a denial of service by consuming resources with multiple requests. IBM X-Force ID: 208348."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"exploitCodeMaturity": "UNPROVEN",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"remediationLevel": "OFFICIAL_FIX",
"reportConfidence": "CONFIRMED",
"scope": "UNCHANGED",
"temporalScore": 4.6,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/PR:N/I:N/C:N/AV:N/A:L/AC:L/UI:N/S:U/RL:O/E:U/RC:C",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Denial of Service",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-17T16:25:21.000Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.ibm.com/support/pages/node/6586704"
},
{
"name": "ibm-datapower-cve202138872-dos (208348)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/208348"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@us.ibm.com",
"DATE_PUBLIC": "2022-05-16T00:00:00",
"ID": "CVE-2021-38872",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "DataPower Gateway",
"version": {
"version_data": [
{
"version_value": "2018.4.1.0"
},
{
"version_value": "10.0.1.0"
},
{
"version_value": "10.0.1.4"
},
{
"version_value": "10.0.2.0"
},
{
"version_value": "10.0.3.0"
},
{
"version_value": "2018.4.1.17"
}
]
}
}
]
},
"vendor_name": "IBM"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "IBM DataPower Gateway 10.0.2.0, 10.0.3.0, 10.0.1.0 through 10.0.1.4, and 2018.4.1.0 through 2018.4.1.17 could allow a remote user to cause a denial of service by consuming resources with multiple requests. IBM X-Force ID: 208348."
}
]
},
"impact": {
"cvssv3": {
"BM": {
"A": "L",
"AC": "L",
"AV": "N",
"C": "N",
"I": "N",
"PR": "N",
"S": "U",
"UI": "N"
},
"TM": {
"E": "U",
"RC": "C",
"RL": "O"
}
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.ibm.com/support/pages/node/6586704",
"refsource": "CONFIRM",
"title": "IBM Security Bulletin 6586704 (DataPower Gateway)",
"url": "https://www.ibm.com/support/pages/node/6586704"
},
{
"name": "ibm-datapower-cve202138872-dos (208348)",
"refsource": "XF",
"title": "X-Force Vulnerability Report",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/208348"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2021-38872",
"datePublished": "2022-05-17T16:25:21.862Z",
"dateReserved": "2021-08-16T00:00:00.000Z",
"dateUpdated": "2024-09-16T18:17:59.500Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-4994 (GCVE-0-2020-4994)
Vulnerability from cvelistv5 – Published: 2022-05-17 16:25 – Updated: 2024-09-16 23:01
VLAI?
Summary
IBM DataPower Gateway 10.0.1.0 through 10.0.1.4 and 2018.4.1.0 through 2018.4.1.17 could allow a remote user to cause a temporary denial of service by sending invalid HTTP requests. IBM X-Force ID: 192906.
Severity ?
CWE
- Denial of Service
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | DataPower Gateway |
Affected:
2018.4.1.0
Affected: 10.0.1.0 Affected: 10.0.1.4 Affected: 2018.4.1.17 |
Date Public ?
2022-05-16 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:22:08.181Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.ibm.com/support/pages/node/6586526"
},
{
"name": "ibm-datapower-cve20204994-dos (192906)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/192906"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "DataPower Gateway",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "2018.4.1.0"
},
{
"status": "affected",
"version": "10.0.1.0"
},
{
"status": "affected",
"version": "10.0.1.4"
},
{
"status": "affected",
"version": "2018.4.1.17"
}
]
}
],
"datePublic": "2022-05-16T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "IBM DataPower Gateway 10.0.1.0 through 10.0.1.4 and 2018.4.1.0 through 2018.4.1.17 could allow a remote user to cause a temporary denial of service by sending invalid HTTP requests. IBM X-Force ID: 192906."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"exploitCodeMaturity": "UNPROVEN",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"remediationLevel": "OFFICIAL_FIX",
"reportConfidence": "CONFIRMED",
"scope": "UNCHANGED",
"temporalScore": 4.6,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/PR:N/A:L/I:N/AV:N/C:N/S:U/UI:N/AC:L/RC:C/RL:O/E:U",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Denial of Service",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-17T16:25:18.000Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.ibm.com/support/pages/node/6586526"
},
{
"name": "ibm-datapower-cve20204994-dos (192906)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/192906"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@us.ibm.com",
"DATE_PUBLIC": "2022-05-16T00:00:00",
"ID": "CVE-2020-4994",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "DataPower Gateway",
"version": {
"version_data": [
{
"version_value": "2018.4.1.0"
},
{
"version_value": "10.0.1.0"
},
{
"version_value": "10.0.1.4"
},
{
"version_value": "2018.4.1.17"
}
]
}
}
]
},
"vendor_name": "IBM"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "IBM DataPower Gateway 10.0.1.0 through 10.0.1.4 and 2018.4.1.0 through 2018.4.1.17 could allow a remote user to cause a temporary denial of service by sending invalid HTTP requests. IBM X-Force ID: 192906."
}
]
},
"impact": {
"cvssv3": {
"BM": {
"A": "L",
"AC": "L",
"AV": "N",
"C": "N",
"I": "N",
"PR": "N",
"S": "U",
"UI": "N"
},
"TM": {
"E": "U",
"RC": "C",
"RL": "O"
}
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.ibm.com/support/pages/node/6586526",
"refsource": "CONFIRM",
"title": "IBM Security Bulletin 6586526 (DataPower Gateway)",
"url": "https://www.ibm.com/support/pages/node/6586526"
},
{
"name": "ibm-datapower-cve20204994-dos (192906)",
"refsource": "XF",
"title": "X-Force Vulnerability Report",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/192906"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2020-4994",
"datePublished": "2022-05-17T16:25:18.615Z",
"dateReserved": "2019-12-30T00:00:00.000Z",
"dateUpdated": "2024-09-16T23:01:02.031Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-38910 (GCVE-0-2021-38910)
Vulnerability from cvelistv5 – Published: 2022-03-10 19:50 – Updated: 2024-09-16 19:31
VLAI?
Summary
IBM DataPower Gateway V10CD, 10.0.1, and 2108.4.1 could allow a remote attacker to bypass security restrictions, caused by the improper validation of input. By sending a specially crafted JSON message, an attacker could exploit this vulnerability to modify structure and fields. IBM X-Force ID: 209824.
Severity ?
CWE
- Bypass Security
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | DataPower Gateway |
Affected:
2018.4.1.0
Affected: 10.0.1.0 Affected: 10.0.2.0 Affected: 10.0.1.5 Affected: 10.0.3.0 Affected: 2108.4.1.18 |
Date Public ?
2022-03-09 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:51:20.664Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.ibm.com/support/pages/node/6562347"
},
{
"name": "ibm-datapower-cve202138910-sec-bypass (209824)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/209824"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "DataPower Gateway",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "2018.4.1.0"
},
{
"status": "affected",
"version": "10.0.1.0"
},
{
"status": "affected",
"version": "10.0.2.0"
},
{
"status": "affected",
"version": "10.0.1.5"
},
{
"status": "affected",
"version": "10.0.3.0"
},
{
"status": "affected",
"version": "2108.4.1.18"
}
]
}
],
"datePublic": "2022-03-09T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "IBM DataPower Gateway V10CD, 10.0.1, and 2108.4.1 could allow a remote attacker to bypass security restrictions, caused by the improper validation of input. By sending a specially crafted JSON message, an attacker could exploit this vulnerability to modify structure and fields. IBM X-Force ID: 209824."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"exploitCodeMaturity": "UNPROVEN",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"remediationLevel": "OFFICIAL_FIX",
"reportConfidence": "CONFIRMED",
"scope": "UNCHANGED",
"temporalScore": 3.2,
"temporalSeverity": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/UI:N/AC:H/I:L/A:N/PR:N/AV:N/C:N/S:U/RL:O/E:U/RC:C",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Bypass Security",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-10T19:50:21.000Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.ibm.com/support/pages/node/6562347"
},
{
"name": "ibm-datapower-cve202138910-sec-bypass (209824)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/209824"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@us.ibm.com",
"DATE_PUBLIC": "2022-03-09T00:00:00",
"ID": "CVE-2021-38910",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "DataPower Gateway",
"version": {
"version_data": [
{
"version_value": "2018.4.1.0"
},
{
"version_value": "10.0.1.0"
},
{
"version_value": "10.0.2.0"
},
{
"version_value": "10.0.1.5"
},
{
"version_value": "10.0.3.0"
},
{
"version_value": "2108.4.1.18"
}
]
}
}
]
},
"vendor_name": "IBM"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "IBM DataPower Gateway V10CD, 10.0.1, and 2108.4.1 could allow a remote attacker to bypass security restrictions, caused by the improper validation of input. By sending a specially crafted JSON message, an attacker could exploit this vulnerability to modify structure and fields. IBM X-Force ID: 209824."
}
]
},
"impact": {
"cvssv3": {
"BM": {
"A": "N",
"AC": "H",
"AV": "N",
"C": "N",
"I": "L",
"PR": "N",
"S": "U",
"UI": "N"
},
"TM": {
"E": "U",
"RC": "C",
"RL": "O"
}
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Bypass Security"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.ibm.com/support/pages/node/6562347",
"refsource": "CONFIRM",
"title": "IBM Security Bulletin 6562347 (DataPower Gateway)",
"url": "https://www.ibm.com/support/pages/node/6562347"
},
{
"name": "ibm-datapower-cve202138910-sec-bypass (209824)",
"refsource": "XF",
"title": "X-Force Vulnerability Report",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/209824"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2021-38910",
"datePublished": "2022-03-10T19:50:22.002Z",
"dateReserved": "2021-08-16T00:00:00.000Z",
"dateUpdated": "2024-09-16T19:31:42.892Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-4992 (GCVE-0-2020-4992)
Vulnerability from cvelistv5 – Published: 2021-08-17 13:55 – Updated: 2024-09-16 19:09
VLAI?
Summary
IBM DataPower Gateway 2018.4.1.0 through 2018.4.1.16 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 192737.
Severity ?
CWE
- Gain Access
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | DataPower Gateway |
Affected:
2018.4.1.0
Affected: 2018.4.1.16 |
Date Public ?
2021-08-16 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:22:07.565Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.ibm.com/support/pages/node/6481679"
},
{
"name": "ibm-datapower-cve20204992-csrf (192737)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/192737"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "DataPower Gateway",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "2018.4.1.0"
},
{
"status": "affected",
"version": "2018.4.1.16"
}
]
}
],
"datePublic": "2021-08-16T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "IBM DataPower Gateway 2018.4.1.0 through 2018.4.1.16 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 192737."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"exploitCodeMaturity": "UNPROVEN",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"remediationLevel": "OFFICIAL_FIX",
"reportConfidence": "CONFIRMED",
"scope": "UNCHANGED",
"temporalScore": 3.8,
"temporalSeverity": "LOW",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/UI:R/S:U/AV:N/A:N/I:L/PR:N/AC:L/C:N/RL:O/E:U/RC:C",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Gain Access",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-17T13:55:13.000Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.ibm.com/support/pages/node/6481679"
},
{
"name": "ibm-datapower-cve20204992-csrf (192737)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/192737"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@us.ibm.com",
"DATE_PUBLIC": "2021-08-16T00:00:00",
"ID": "CVE-2020-4992",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "DataPower Gateway",
"version": {
"version_data": [
{
"version_value": "2018.4.1.0"
},
{
"version_value": "2018.4.1.16"
}
]
}
}
]
},
"vendor_name": "IBM"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "IBM DataPower Gateway 2018.4.1.0 through 2018.4.1.16 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 192737."
}
]
},
"impact": {
"cvssv3": {
"BM": {
"A": "N",
"AC": "L",
"AV": "N",
"C": "N",
"I": "L",
"PR": "N",
"S": "U",
"UI": "R"
},
"TM": {
"E": "U",
"RC": "C",
"RL": "O"
}
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Gain Access"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.ibm.com/support/pages/node/6481679",
"refsource": "CONFIRM",
"title": "IBM Security Bulletin 6481679 (DataPower Gateway)",
"url": "https://www.ibm.com/support/pages/node/6481679"
},
{
"name": "ibm-datapower-cve20204992-csrf (192737)",
"refsource": "XF",
"title": "X-Force Vulnerability Report",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/192737"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2020-4992",
"datePublished": "2021-08-17T13:55:13.982Z",
"dateReserved": "2019-12-30T00:00:00.000Z",
"dateUpdated": "2024-09-16T19:09:58.965Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5008 (GCVE-0-2020-5008)
Vulnerability from cvelistv5 – Published: 2021-06-07 14:05 – Updated: 2024-09-16 20:48
VLAI?
Summary
IBM DataPower Gateway 10.0.0.0 through 10.0.1.0 and 2018.4.1.0 through 2018.4.1.14 stores sensitive information in GET request parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 193033.
Severity ?
CWE
- Obtain Information
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | DataPower Gateway |
Affected:
2018.4.1.0
Affected: 10.0.0.0 Affected: 10.0.1.0 Affected: 2018.4.1.14 |
Date Public ?
2021-06-04 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:22:08.510Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.ibm.com/support/pages/node/6459681"
},
{
"name": "ibm-datapower-cve20205008-info-disc (193033)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/193033"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "DataPower Gateway",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "2018.4.1.0"
},
{
"status": "affected",
"version": "10.0.0.0"
},
{
"status": "affected",
"version": "10.0.1.0"
},
{
"status": "affected",
"version": "2018.4.1.14"
}
]
}
],
"datePublic": "2021-06-04T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "IBM DataPower Gateway 10.0.0.0 through 10.0.1.0 and 2018.4.1.0 through 2018.4.1.14 stores sensitive information in GET request parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 193033."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"exploitCodeMaturity": "UNPROVEN",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"remediationLevel": "OFFICIAL_FIX",
"reportConfidence": "CONFIRMED",
"scope": "UNCHANGED",
"temporalScore": 3.2,
"temporalSeverity": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/C:L/I:N/UI:N/A:N/S:U/AC:H/PR:N/AV:N/E:U/RL:O/RC:C",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Obtain Information",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-07T14:05:13.000Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.ibm.com/support/pages/node/6459681"
},
{
"name": "ibm-datapower-cve20205008-info-disc (193033)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/193033"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@us.ibm.com",
"DATE_PUBLIC": "2021-06-04T00:00:00",
"ID": "CVE-2020-5008",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "DataPower Gateway",
"version": {
"version_data": [
{
"version_value": "2018.4.1.0"
},
{
"version_value": "10.0.0.0"
},
{
"version_value": "10.0.1.0"
},
{
"version_value": "2018.4.1.14"
}
]
}
}
]
},
"vendor_name": "IBM"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "IBM DataPower Gateway 10.0.0.0 through 10.0.1.0 and 2018.4.1.0 through 2018.4.1.14 stores sensitive information in GET request parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 193033."
}
]
},
"impact": {
"cvssv3": {
"BM": {
"A": "N",
"AC": "H",
"AV": "N",
"C": "L",
"I": "N",
"PR": "N",
"S": "U",
"UI": "N"
},
"TM": {
"E": "U",
"RC": "C",
"RL": "O"
}
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Obtain Information"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.ibm.com/support/pages/node/6459681",
"refsource": "CONFIRM",
"title": "IBM Security Bulletin 6459681 (DataPower Gateway)",
"url": "https://www.ibm.com/support/pages/node/6459681"
},
{
"name": "ibm-datapower-cve20205008-info-disc (193033)",
"refsource": "XF",
"title": "X-Force Vulnerability Report",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/193033"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2020-5008",
"datePublished": "2021-06-07T14:05:13.638Z",
"dateReserved": "2019-12-30T00:00:00.000Z",
"dateUpdated": "2024-09-16T20:48:16.900Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}