Lucene search

China National Vulnerability DatabaseCNVD-2022-56970

HistoryAug 04, 2022 - 12:00 a.m.

IBM DataPower Gateway XML External Entity Injection Vulnerability (CNVD-2022-56970)

2022-08-0400:00:00

China National Vulnerability Database

www.cnvd.org.cn

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

JSON

IBM DataPower Gateway is a set of security and integration platforms from IBM USA designed specifically for mobile, cloud, application programming interface (API), web, service-oriented architecture (SOA), B2B, and cloud workloads. The platform protects, integrates, and optimizes access across channels using a dedicated gateway platform.IBM DataPower Gateway suffers from an XML external entity injection vulnerability that stems from a network system or product that does not set the correct filtering to allow references to external entities, which can be exploited by a remote attacker to read a file by sending a specially crafted XML file.

CPENameOperatorVersion
IBM DataPower Gateway >=10.0.2.0，<=10.eq0.4.0
IBM DataPower Gateway >=10.0.1.0，<=10.eq0.1.8
IBM DataPower Gateway 10.eq5.0.0
IBM DataPower Gateway 2018.eq4.1.0

Name	Operator	Version
IBM DataPower Gateway >=10.0.2.0，<=10.	eq	0.4.0
IBM DataPower Gateway >=10.0.1.0，<=10.	eq	0.1.8
IBM DataPower Gateway 10.	eq	5.0.0
IBM DataPower Gateway 2018.	eq	4.1.0

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

JSON

Related for CNVD-2022-56970