Lucene search
IBM1FB480DF501E4BB994C4A302E1A1D115A94B5E316BD429228712E34AF2927C30HistoryJun 08, 2021 - 9:52 p.m.
Security Bulletin: IBM DataPower Gateway can expose remote credentials to local users (CVE-2020-4528)
2021-06-0821:52:38
www.ibm.com
9
0.0004 Low
EPSS
Percentile
5.1%
Summary
Passwords provided as part of a URL for an administrative COPY command may appear in the administrative log. If the password is not provided in the URL, it will be prompted for, and will not appear in the log.
Vulnerability Details
CVEID:CVE-2020-4528
**DESCRIPTION:**IBM MQ Appliance could allow a local user, under special conditions, to obtain highly sensitive information from log files.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/182658 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM DataPower Gateway | 10.0.0.0 |
| IBM DataPower Gateway | 2018.4.1.0-2018.4.1.12 |
Remediation/Fixes
| Affected Product(s) | Fixed in version | APAR |
|---|---|---|
| IBM DataPower Gateway | 10.0.0.0.1 | IT33365 |
| IBM DataPower Gateway | 2018.4.1.13 | IT33365 |
Workarounds and Mitigations
Do not include a password in the URL. Instead, allow the appliance to prompt for a password.
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm datapower gateway | eq | 10.0.0.0 | |
| ibm datapower gateway | ge | 2018.4.1.0 | |
| ibm datapower gateway | le | 2018.4.1.12 |
Related
cvelist
cvelist
CVE-2020-4528
2020-10-05 00:00:00
nvd
nvd
CVE-2020-4528
2020-10-06 16:15:13
prion
prion
Design/Logic Flaw
2020-10-06 16:15:00
cve
cve
CVE-2020-4528
2020-10-06 16:15:13
0.0004 Low
EPSS
Percentile
5.1%
Related for 1FB480DF501E4BB994C4A302E1A1D115A94B5E316BD429228712E34AF2927C30