Lucene search

IBMC53BC40994F30ED754D998CF152264FFD28CD062F836EDAF277CB29FE08902D3

HistoryMay 17, 2022 - 2:02 p.m.

Security Bulletin: IBM DataPower Gateway vulnerable to HTTP header injection

2022-05-1714:02:25

www.ibm.com

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

26.9%

JSON

Summary

IBM has addressed the CVE

Vulnerability Details

CVEID:CVE-2021-38944
**DESCRIPTION:**IBM DataPower Gateway is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/211236 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM DataPower Gateway V10CD	10.0.2.0-1.0.3.0
IBM DataPower Gateway 10.0.1	10.0.1.0-10.0.1.5
IBM DataPower Gateway 2018.4.1	2018.4.1.0-2018.4.1.18

Remediation/Fixes

Affected Product	Fixed in version	APAR
IBM DataPower Gateway V10CD	10.0.4.0	IT39040
IBM DataPower Gateway 10.0.1	10.0.1.6	IT39040
IBM DataPower Gateway 2018.4.1	2018.4.1.19	IT39040

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmdatapower_gatewayRange10.0.2.0≥

ibmdatapower_gatewayRange≤1.0.3.0

ibmdatapower_gatewayRange10.0.1.0≥

ibmdatapower_gatewayRange≤10.0.1.5

ibmdatapower_gatewayRange2018.4.1.0≥

ibmdatapower_gatewayRange≤2018.4.1.18

CPENameOperatorVersion
ibm datapower gateway v10cdge10.0.2.0
ibm datapower gateway v10cdle1.0.3.0
ibm datapower gateway 10.0.1ge10.0.1.0
ibm datapower gateway 10.0.1le10.0.1.5
ibm datapower gateway 2018.4.1ge2018.4.1.0
ibm datapower gateway 2018.4.1le2018.4.1.18

Name	Operator	Version
ibm datapower gateway v10cd	ge	10.0.2.0
ibm datapower gateway v10cd	le	1.0.3.0
ibm datapower gateway 10.0.1	ge	10.0.1.0
ibm datapower gateway 10.0.1	le	10.0.1.5
ibm datapower gateway 2018.4.1	ge	2018.4.1.0
ibm datapower gateway 2018.4.1	le	2018.4.1.18

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

26.9%

JSON

Related for C53BC40994F30ED754D998CF152264FFD28CD062F836EDAF277CB29FE08902D3