Lucene search

IBM91DDBD9D4FAA23335A6B4A86E1165C3B2E102A602739D530A2F0003ADBE78B12

HistoryMay 01, 2023 - 1:30 p.m.

Security Bulletin: Potential denial of service in IBM DataPower Gateway (CVE-2022-25881)

2023-05-0113:30:10

www.ibm.com

ibm

datapower gateway

cve-2022-25881

node.js

http-cache-semantics

denial of service

upgrade

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

43.2%

JSON

Summary

IBM has addressed the CVE

Vulnerability Details

CVEID:CVE-2022-25881
**DESCRIPTION:**Node.js http-cache-semantics module is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw. By sending a specially-crafted regex input using request header values, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/246089 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM DataPower Gateway 10.5.0	10.5.0.0 - 10.5.0.4

Remediation/Fixes

Upgrade to IBM DataPower Gateway 10.5.0.5: IT43162

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmdatapower_gatewayMatch10.5.0

CPENameOperatorVersion
ibm datapower gatewayeq10.5.0

CPE	Name	Operator	Version
	ibm datapower gateway	eq	10.5.0

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

43.2%

JSON

Related for 91DDBD9D4FAA23335A6B4A86E1165C3B2E102A602739D530A2F0003ADBE78B12