Lucene search

K
ibmIBM91DDBD9D4FAA23335A6B4A86E1165C3B2E102A602739D530A2F0003ADBE78B12
HistoryMay 01, 2023 - 1:30 p.m.

Security Bulletin: Potential denial of service in IBM DataPower Gateway (CVE-2022-25881)

2023-05-0113:30:10
www.ibm.com
28
ibm
datapower gateway
cve-2022-25881
node.js
http-cache-semantics
denial of service
upgrade

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

43.2%

Summary

IBM has addressed the CVE

Vulnerability Details

CVEID:CVE-2022-25881
**DESCRIPTION:**Node.js http-cache-semantics module is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw. By sending a specially-crafted regex input using request header values, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/246089 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Affected Product(s) Version(s)
IBM DataPower Gateway 10.5.0 10.5.0.0 - 10.5.0.4

Remediation/Fixes

Upgrade to IBM DataPower Gateway 10.5.0.5: IT43162

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmdatapower_gatewayMatch10.5.0
CPENameOperatorVersion
ibm datapower gatewayeq10.5.0

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

43.2%