Lucene search

K
ibmIBM72845791E2A15BE8FED60408D32370CFBC16785C4CD14C30BB4378FD269BDE92
HistoryMay 02, 2023 - 6:20 p.m.

Security Bulletin: Potential security bypass in IBM DataPower Gateway (CVE_2023-23920)

2023-05-0218:20:11
www.ibm.com
39
ibm
datapower gateway
security bypass
cve-2023-23920
node.js
remote attacker
access control
cvss
vulnerability
icu data
ibm cloud
fix
upgrade

CVSS3

4.2

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N

AI Score

6

Confidence

High

EPSS

0

Percentile

14.1%

Summary

IBM has addressed the CVE

Vulnerability Details

**CVEID:**CVE-2023-23920 DESCRIPTION: Node.js could allow a remote authenticated attacker to bypass security restrictions, caused by improper access control. By sending a specially-crafted request using ICU_DATA environment variable, an attacker could exploit this vulnerability to search and potentially load ICU data.
CVSS Base score: 2.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247694 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM DataPower Gateway 10.0.1 10.0.1.0 - 10.0.1.12
IBM DataPower Gateway 10.5.0 10.5.0.0 - 10.5.0.4

Remediation/Fixes

Affected Product Fixed in version APAR
IBM DataPower Gateway 10.5.0 IBM DataPower Gateway 10.5.0.5 IT43661
IBM DataPower Gateway 10.0.1 IBM DataPower Gateway 10.0.1.13 IT43661
Customers using older releases may upgrade free of charge to 10.5 or 10.0.1

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmdatapower_gatewayMatch10.5.0
OR
ibmdatapower_gatewayMatch10.0.1
VendorProductVersionCPE
ibmdatapower_gateway10.5.0cpe:2.3:a:ibm:datapower_gateway:10.5.0:*:*:*:*:*:*:*
ibmdatapower_gateway10.0.1cpe:2.3:a:ibm:datapower_gateway:10.0.1:*:*:*:*:*:*:*

CVSS3

4.2

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N

AI Score

6

Confidence

High

EPSS

0

Percentile

14.1%