CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
AI Score
Confidence
High
Node.js is used by IBM DataPower Gateway in the Gateway Director and UI components.
CVEID:CVE-2024-27982
**DESCRIPTION:**Node.js is vulnerable to HTTP request smuggling, caused by the use of content length obfuscation in the http server. By sending specially crafted HTTP request headers, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/286863 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)
Affected Product(s) | Version(s) |
---|---|
IBM DataPower Gateway 10.5 CD | 10.5.1.0 - 10.5.4.0 |
IBM DataPower Gateway 10.5.0 | 10.5.0.0 - 10.5.0.11 |
Affected Product | Fixed in release | APAR |
---|---|---|
IBM DataPower Gateway 10.5.0 | 10.5.0.12 | IT46105 |
IBM DataPower Gateway 10.5 CD | 10.6.0.0 | IT46105 |
IBM strongly recommends addressing the vulnerability by upgrading to a fixed version
None
Vendor | Product | Version | CPE |
---|---|---|---|
ibm | datapower_gateway | 10.5.0 | cpe:2.3:a:ibm:datapower_gateway:10.5.0:*:*:*:*:*:*:* |
ibm | datapower_gateway | 10.5 | cpe:2.3:a:ibm:datapower_gateway:10.5:*:*:*:*:*:*:* |
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
AI Score
Confidence
High