5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
19.9%
If a user password is changed, IBM DataPower Gateway does not immediately invalidate existing active sessions that were created with the old password. This means that a session created using a compromised password could continue to operate after the password has been changed until the session expires.
CVEID:CVE-2022-40228
**DESCRIPTION:**IBM DataPower Gateway does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/235527 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N)
Affected Product(s) | Version(s) |
---|---|
IBM DataPower Gateway V10CD | 10.0.3.0 - 10.0.4.0 |
IBM DataPower Gateway 10.0.1 | 10.0.1.0 - 10.0.1.9 |
IBM DataPower Gateway 2018.4.1 | 2018.4.1.0 - 2018.4.1.22 |
IBM DataPower Gateway 10.5.0 | 10.5.0.0 - 10.5.0.2 |
Affected Product | Fixed in version | APAR |
---|---|---|
IBM DataPower Gateway V10CD | 10.0.4.0-SR2 | IT42101 |
IBM DataPower Gateway 10.0.1 | 10.0.1.10 | IT42101 |
IBM DataPower Gateway 2018.4.1 | 2018.4.1.23 | IT42101 |
This issue will be addressed in a future fixpack for 10.5.0
After changing a password due to suspected compromise, reloading the gateway will invalidate all current sessions.
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
19.9%