IBMAC691DE3D2960AACD17B4C8EF93576841ECB0BF3F04BF13AC55011C8F1813D4FSecurity Bulletin: IBM DataPower Gateway vulnerable to an RCE attack (CVE-2020-5014)
6.7 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
4.6 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
0.0004 Low
EPSS
Percentile
5.7%
Summary
IBM has addressed the relevant CVE
Vulnerability Details
CVEID:CVE-2020-5014
**DESCRIPTION:**IBM DataPower Gateway could allow a local attacker with administrative privileges to execute arbitrary code on the system using a server-side requesr forgery attack.
CVSS Base score: 6.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/193247 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM DataPower Gateway | 10.0.0.0-10.0.1.1 |
| IBM DataPower Gateway | 2018.4.1.0-2018.4.1.14 |
Remediation/Fixes
| Affected Product Version | Fixed in version | APAR |
|---|---|---|
| IBM DataPower Gateway | 10.0.1.2 | IT35327 |
IBM DataPower Gateway| 2018.4.1.15| IT35327
Workarounds and Mitigations
None
Related
6.7 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
4.6 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
0.0004 Low
EPSS
Percentile
5.7%