9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.026 Low
EPSS
Percentile
90.1%
These vulnerabilties affect only those customers who have configured a binary transform action using a tx-map. IBM has addressed the CVEs. [CVE-2017-14952 and CVE-2020-10531]
CVEID:CVE-2017-14952
**DESCRIPTION:**International Components for Unicode (ICU) for C/C++ could allow a remote attacker to execute arbitrary code on the system, caused by a double free in i18n/zonemeta.cpp. By using a specially crafted string, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/133526 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID:CVE-2020-10531
**DESCRIPTION:**International Components for Unicode (ICU) for C/C++ is vulnerable to a heap-based buffer overflow, caused by an integer overflow in UnicodeString::doAppend() function in common/unistr.cpp. By sending a specially-crafted request, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/177660 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Product(s) | Version(s) |
---|---|
IBM DataPower Gateway V10CD | 10.0.2.0 - 10.0.4.0 |
IBM DataPower Gateway 10.0.1 | 10.0.1.0 - 10.0.1.8 |
IBM DataPower Gateway 10.5.0 | 10.5.0.0 |
IBM DataPower Gateway | 2018.4.1.0 - 2108.4.1.21 |
IBM strongly recommends addressing the vulnerability now by upgrading.
Affected Product | Fixed in release | APAR |
---|---|---|
IBM DataPower Gateway 10.5.0 | 10.5.0.1 | IT41446 |
IBM DataPower Gateway V10CD | 10.5.0.1 | IT41446 |
IBM DataPower Gateway 10.0.1 | 10.5.0.1 | IT41446 |
IBM DataPower Gateway 2018.4.1 | 10.5.0.1 | IT41446 |
Customers using IBM DataPower Gateway 10.0.1 or 2018.4.1 can upgrade to version 10.5.0.1 to obtain the fix. However, the fix will be available in a future 10.0.1 and 2018.4.1 fixpack.
None
CPE | Name | Operator | Version |
---|---|---|---|
ibm datapower gateway | eq | 2018.4.1 | |
ibm datapower gateway | eq | 10.0.1 | |
ibm datapower gateway | eq | 10 | |
ibm datapower gateway | eq | 10.5 |
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.026 Low
EPSS
Percentile
90.1%