342 matches found
CVE-2022-40228
IBM DataPower Gateway 10.0.3.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.9, 2018.4.1.0 through 2018.4.1.22, and 10.5.0.0 through 10.5.0.2 does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 235527...
Security Bulletin: IBM DataPower Gateway vulnerable to DoS
Summary This issue may result in a memory leak. Vulnerability Details CVEID:CVE-2024-26935 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by an error related to unremoved procfs host directory regression. A local authenticated attacker could exploit this vulnerability to...
Security Bulletin: IBM DataPower Gateway does not force a Gateway Peering password change
Summary The DataPower UI does not notify customers of any gateway-peering instance that uses the system default password. The UI will now warn if the password is not changed. Vulnerability Details CVEID:CVE-2022-31776 DESCRIPTION: IBM DataPower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through...
Security Bulletin: IBM DataPower Gateway may permit admin users to view and edit files that are not allowed to be read via RBM access rights (CVE-2022-22326)
Summary IBM has addressed the CVE Vulnerability Details CVEID:CVE-2022-22326 DESCRIPTION: IBM MQ Appliance could allow unauthorized viewing of logs and files due to insufficient authorisation checks. CVSS Base score: 4 CVSS Temporal Score: See:...
Security Bulletin: IBM DataPower Gateway vulnerable to denial of service and remote code execution through use of Redis
Summary IBM DataPower Gateway uses Redis internally for gateway peering. Vulnerability Details CVEID:CVE-2024-46981 DESCRIPTION: Redis is an open source, in-memory database that persists on disk. An authenticated user may use a specially crafted Lua script to manipulate the garbage collector and...
Security Bulletin: IBM DataPower Gateway vulnerable to denial of service due to rustls
Summary Rustls is used in gateway peering Vulnerability Details CVEID:CVE-2024-11738 DESCRIPTION: A flaw was found in Rustls 0.23.13 and related APIs. This vulnerability allows denial of service panic via a fragmented TLS ClientHello message. CWE:CWE-248: Uncaught Exception CVSS Source:...
Security Bulletin: IBM DataPower Gateway vulnerable to naming confusion (CVE-2024-12224)
Summary idna is used in the GitOps feature. Vulnerability Details CVEID:CVE-2024-12224 DESCRIPTION: idna 0.5.0 and earlier accepts Punycode labels that do not produce any non-ASCII output, which means that either ASCII labels or the empty root label can be masked such that they appear unequal...
Security Bulletin: IBM DataPower Gateway does not invalidate active sessions on a password change (CVE-2022-40228)
Summary If a user password is changed, IBM DataPower Gateway does not immediately invalidate existing active sessions that were created with the old password. This means that a session created using a compromised password could continue to operate after the password has been changed until the...
Security Bulletin: IBM DataPower Gateway vulnerable to Denial of Service (CVE-2024-53088)
Summary IBM DataPower Gateway uses the ethernet driver on hardware platforms. Vulnerability Details CVEID:CVE-2024-53088 DESCRIPTION: In the Linux kernel, the following vulnerability has been resolved: i40e: fix race condition by adding filter's intermediate sync state Fix a race condition in the...
Security Bulletin: IBM DataPower Gateway vulnerable to DoS (CVE-2024-25062)
Summary libxml2 is used in the DataPower Gateway's DB2 connector. Vulnerability Details CVEID:CVE-2024-25062 DESCRIPTION: An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing...
Security Bulletin: IBM Datapower Operations Dashboard could allow an attacker to map URLs to filesystem locations that are unreachable by any URL CVE-2024-38475
Summary Apache HTTP Server is used by the IBM Datapower Operations Dashboard implementation of network implementation Vulnerability Details CVEID:CVE-2024-38475 DESCRIPTION: Improper escaping of output in modrewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to...
Security Bulletin: IBM DataPower Gateway vulnerable to DoS (CVE-2024-22365)
Summary This vulnerablility may affect database access, and DataPower Virtual Edition. Vulnerability Details CVEID:CVE-2024-22365 DESCRIPTION: Linux-pam is vulnerable to a denial of service, caused by a flaw in pamnamespace.so. By sending a specially crafted request, a local attacker could exploi...
Security Bulletin: IBM DataPower Gateway vulnerable to Denial of Service (CVE-2024-45296)
Summary pillarjs Path-to-RegExp is used by IBM DataPower Gateway as part of the DataPower UI CVE-2024-45296 Vulnerability Details CVEID:CVE-2024-45296 DESCRIPTION: pillarjs Path-to-RegExp is vulnerable to a denial of service, caused by a regular expression denial of service ReDoS flaw. By sending...
Security Bulletin: IBM Datapower Operations Dashboard could allow a remote attacker to bypass security restrictions CVE-2024-38473
Summary Apache HTTP Server is used by the IBM Datapower Operations Dashboard implementation of network operations Vulnerability Details CVEID:CVE-2024-38473 DESCRIPTION: Apache HTTP Server could allow a remote attacker to bypass security restrictions, caused by an encoding flaw in modproxy. By...
Security Bulletin: IBM DataPower Gateway vulnerable to Denial of Service (CVE-2024-25016)
Summary This vulnerability affects the MQ Client component of IBM Datapower Gateway . Vulnerability Details CVEID:CVE-2024-25016 DESCRIPTION: IBM MQ and IBM MQ Appliance 9.0, 9.1, 9.2, 9.3 LTS and 9.3 CD could allow a remote unauthenticated attacker to cause a denial of service due to incorrect...
Security Bulletin: IBM Datapower Operations Dashboard is vulnerable to server-side request forgery CVE-2024-39573
Summary Apache HTTP Server is used by the IBM Datapower Operations Dashboard implementation of network operations Vulnerability Details CVEID:CVE-2024-39573 DESCRIPTION: Apache HTTP Server is vulnerable to server-side request forgery, caused by a flaw in the modrewrite. By sending a specially...
Security Bulletin: Due to use of Node.js IBM DataPower Gateway vulnerable to denial of service (CVE-2024-45590)
Summary Node.js is used by IBM DataPower Gateway as part of the user interface. Vulnerability Details CVEID:CVE-2024-45590 DESCRIPTION: expressjs body-parser is vulnerable to a denial of service, caused by a flaw when url encoding is enabled. By sending a specially crafted payload, a remote...
Security Bulletin: IBM Datapower Operations Dashboard could allow a remote attacker to execute arbitrary code on the system CVE-2024-38474
Summary Apache HTTP Server is used by the IBM Datapower Operations Dashboard implementation of their networking implementation Vulnerability Details CVEID:CVE-2024-38474 DESCRIPTION: Apache HTTP Server could allow a remote attacker to execute arbitrary code on the system, caused by a substitution...
Security Bulletin: IBM Datapower Operations Dashboard is vulnerable to a denial of service CVE-2024-38477
Summary Apache HTTP Server is used by the IBM Datapower Operations Dashboard implementation of network operations Vulnerability Details CVEID:CVE-2024-38477 DESCRIPTION: Apache HTTP Server is vulnerable to a denial of service, caused by a NULL pointer dereference flaw in modproxy. By sending a...
Security Bulletin: IBM Datapower Operations Dashboard could allow a remote attacker to obtain sensitive information CVE-2024-38476
Summary Apache HTTP Server is used by the IBM Datapower Operations Dashboard implementation of network operations Vulnerability Details CVEID:CVE-2024-38476 DESCRIPTION: Apache HTTP Server allow a remote attacker to obtain sensitive information, caused by improper input validation by the backend...