40 matches found
CVE-2021-38910
CVE-2021-38910 affects IBM DataPower Gateway V10CD (10.0.2.x+), 10.0.1, and 2108.4.1. The root cause is improper input validation, enabling a remote attacker to bypass security restrictions by sending a crafted JSON message to modify structure and fields. Documented impact is bypass of security c...
CVE-2021-38872
Summary: CVE-2021-38872 affects IBM DataPower Gateway. Affected versions include 10.0.2.0, 10.0.3.0, 10.0.1.0–10.0.1.4, and 2018.4.1.0–2018.4.1.17. The issue is a denial of service caused by a remote user consuming resources by sending multiple requests. The underlying root cause is improper hand...
CVE-2022-31776
CVE-2022-31776 affects IBM DataPower Gateway: SSRF in 10.0.2.0–10.0.4.0, 10.0.1.0–10.0.1.8, 10.5.0.0, and 2018.4.1.0–2018.4.1.21. The IBM security bulletin states a vulnerability leading to potential unauthorized requests from the system, enabling network enumeration or related impacts. Remediati...
CVE-2022-22326
CVE-2022-22326 affects IBM DataPower Gateway and IBM MQ Appliance with insufficient authorization checks allowing unauthorized viewing of logs and files. Affected products and versions include IBM DataPower Gateway 10.0.1.0–10.0.1.5, 10.0.2.0–10.0.4.0, and 2018.4.1.0–2018.4.1.18; remediation upgr...
CVE-2022-31775
The CVE-2022-31775 issue affects IBM DataPower Gateway and is an XML External Entity Injection (XXE) in XML data processing caused by insufficient filtering of external entities. Affected products/versions include DataPower Gateway 10.0.2.0–10.0.4.0, 10.0.1.0–10.0.1.8, 10.5.0.0, and 2018.4.1.0–20...
CVE-2021-38944
CVE-2021-38944 affects IBM DataPower Gateway versions listed in the IBM and NVD records where an improper validation of input in the HOST header enables HTTP header injection. The vulnerability arises from inadequate HOST header validation, enabling attackers to perform cross-site scripting, cach...
CVE-2022-40228
CVE-2022-40228 affects IBM DataPower Gateway and is caused by not invalidating active sessions after a password change, which could allow an authenticated user to impersonate another user. Affected versions include 10.0.3.0–10.0.4.0, 10.0.1.0–10.0.1.9, 2018.4.1.0–2018.4.1.22, and 10.5.0.0–10.5.0....
CVE-2022-31773
CVE-2022-31773 affects IBM DataPower Gateway V10CD, 10.0.1, and 2018.4.1, where a cross-site request forgery (CSRF) in the Web UI could let an attacker perform malicious, unauthorized actions on behalf of a trusted user. The root cause is CSRF in the web application that does not adequately valid...
CVE-2022-31774
CVE-2022-31774 affects IBM DataPower Gateway. Vulnerable in Web UI where lack of data validation/filtering lets attackers embed arbitrary JavaScript, potentially disclosing credentials in a trusted session. Affected versions include 10.0.1.0–10.0.1.8, 10.0.2.0–10.0.4.0, 10.5.0.0, and 2018.4.1.0–2...
CVE-2022-32750
CVE-2022-32750 affects IBM DataPower Gateway: versions 10.0.2.0–10.0.4.0, 10.0.1.0–10.0.1.8, 10.5.0.0, and 2018.4.1.0–2018.4.1.21 are vulnerable to cross-site scripting through the Web UI, allowing arbitrary JavaScript that could disclose credentials in a trusted session. Remediation: upgrade to ...
CVE-2020-5014
CVE-2020-5014 – IBM DataPower Gateway : A local attacker with administrative privileges could achieve arbitrary code execution via a server-side request forgery (SSRF) that targets internal services (notably the built‑in Redis path). Affected products/versions: DataPower Gateway 10.0.0.0–10.0.1.1...
CVE-2019-4621
IBM DataPower Gateway and IBM MQ Appliance are affected by CVE-2019-4621 due to a default administrator account that is enabled when the IPMI LAN channel is enabled. A remote attacker could gain unauthorised access to the BMC. Affected products and versions include IBM DataPower Gateway 7.6.0.0-7...
CVE-2020-4203
CVE-2020-4203 affects IBM DataPower Gateway versions 2018.4.1.0 through 2018.4.1.8, where improper access controls could allow a privileged user to disclose highly sensitive information. IBM’s Security Bulletins (B32170FFF285450407F92413C0A07773ACE80E126493E67B73280F5B62066789) confirm affected p...
CVE-2020-4205
The CVE-2020-4205 entry concerns IBM DataPower Gateway version 2018.4.1.0–2018.4.1.8 where an authenticated user could bypass security restrictions and continue to access the server after authentication certificates have been revoked. This is documented across IBM Security Bulletins and the IBM X...
CVE-2020-4528
IBM MQ Appliance (IBM DataPower Gateway 10.0.0.0 and 2018.4.1.0–2018.4.1.12) is affected by CVE-2020-4528, a local information-disclosure vulnerability where a local user could obtain highly sensitive data from log files under specific conditions. The IBM bulletin lists affected products/versions...
CVE-2020-5008
The CVE-2020-5008 issue affects IBM DataPower Gateway: affected versions include 10.0.0.0–10.0.1.0 and 2018.4.1.0–2018.4.1.14, where sensitive information is stored in GET request parameters, creating possible information disclosure if URLs are exposed in logs, referrers, or history. IBM’s remedi...
CVE-2015-7427
IBM DataPower Gateway appliances are affected by CVE-2015-7427 due to missing Secure attribute on cookies when using HTTPS, allowing potential interception of cookies. Affected versions include 6.x up to 6.0.0.16/6.0.1.12, 7.x up to 7.0.0.9, 7.1.0.6, and 7.2.0.0. Remediation: upgrade to fixed rel...
CVE-2018-1661
CVE-2018-1661 affects IBM DataPower Gateways (7.5, 7.5.1, 7.5.2, and 7.6). The issue is a cross-site request forgery (CSRF) vulnerability allowing an attacker to perform actions transmitted from a trusted user. IBM has issued a security bulletin for DataPower Gateway and IBM MQ Appliance with rem...
CVE-2018-1667
CVE-2018-1667 affects IBM DataPower Gateway and IBM DataPower/WebSphere DataPower Appliances, where a cross-site scripting (XSS) flaw could allow embedding arbitrary JavaScript in the Web UI and potentially disclose credentials within a trusted session. The vulnerability is present in multiple Da...
CVE-2020-4994
Summary of CVE-2020-4994 / IBM DataPower Gateway : Affects IBM DataPower Gateway 10.0.1.0–10.0.1.4 and 2018.4.1.0–2018.4.1.17. A remote attacker could cause a temporary denial of service by sending invalid HTTP requests. The issue is acknowledged by IBM (X-Force ID 192906) and remediated with fix...
CVE-2015-7412
CVE-2015-7412 affects IBM DataPower Gateways GatewayScript modules (7.2.0.x) where decryption API or JWE decrypt action omits requiring signed ciphertext data. The underlying issue is padding-oracle vulnerability that could allow an attacker to decrypt ciphertext and obtain plaintext if configure...
CVE-2017-1591
The CVE-2017-1591 issue is a cross-site scripting vulnerability in IBM WebSphere DataPower Appliances (7.0.0–7.6) and related IBM MQ Appliance/WebGUI components. The flaw allows embedding arbitrary JavaScript in the Web UI, potentially leading to credentials disclosure within a trusted session. R...
CVE-2018-1666
CVE-2018-1666 affects IBM DataPower/DataPower Gateway UI message rendering. A authenticated user could inject arbitrary messages displayed in the UI. Affected products/versions include IBM DataPower Gateway 2018.4.1.0, 7.6.0.0–7.6.0.11, 7.5.2.0–7.5.2.18, 7.5.1.0–7.5.1.18, 7.5.0.0–7.5.0.19, and 7....
CVE-2019-4294
CVE-2019-4294 affects IBM DataPower Gateway and IBM MQ Appliance. The root cause is a command-injection vulnerability in which a local attacker could execute arbitrary commands on the targeted system. Affected versions include IBM DataPower Gateway 2018.4.1.0–2018.4.1.6, 7.6.0.0–7.6.0.15, and IBM...
CVE-2020-4581
CVE-2020-4581 affects IBM DataPower Gateway 2018.4.1.0 through 2018.4.1.12, enabling a remote attacker to cause a denial of service by sending a chunked transfer-encoding HTTP/2 request. IBM’s advisory confirms remediation in 2018.4.1.13 (APAR IT33517) for DataPower Gateway, with no workaround do...
CVE-2018-1652
CVE-2018-1652 affects IBM DataPower Gateway and IBM MQ Appliance. A local user could cause a denial of service via unknown vectors on: DataPower Gateway versions 7.1.0.0–7.1.0.19, 7.2.0.0–7.2.0.16, 7.5.0.0–7.5.0.10, 7.5.1.0–7.5.1.9, 7.5.2.0–7.5.2.9, 7.6.0.0–7.6.0.2 and MQ Appliance 8.0.0.0–8.0.0....
CVE-2017-1773
CVE-2017-1773 affects IBM DataPower Gateway: DNS spoofing via MITM in DataPower DNS queries. Affected versions include 7.1.0.0–7.1.0.20, 7.2.0.0–7.2.0.17, 7.5.0.0–7.5.0.11, 7.5.1.0–7.5.1.10, 7.5.2.0–7.5.2.10, and 7.6.0.0–7.6.0.3. Remediation is available in newer releases: 7.1.0.21, 7.2.0.18, 7.5...
CVE-2018-1665
Affected product and scope: IBM DataPower Gateway and related appliances are listed with CVE-2018-1665, affecting multiple VMF/RMF versions of DataPower Gateway and IBM MQ Appliance as detailed in IBM security bulletins. Root cause / vulnerability type: Use of weaker-than-expected cryptographic a...
CVE-2018-1668
CVE-2018-1668 affects IBM DataPower Gateway appliances (versions 7.5.0.0–7.5.0.19, 7.5.1.0–7.5.1.18, 7.5.2.0–7.5.2.18, 7.6.0.0–7.6.0.11) and IBM MQ Appliance in some postings, where the IPMI service could be left at a “null” login, enabling read access to IPMI data and disclosure of sensitive inf...
CVE-2020-4579
IBM DataPower Gateway (versions 2018.4.1.0–2018.4.1.12) is affected by CVE-2020-4579, allowing remote denial of service via a specially crafted HTTP/2 request with invalid characters. The vendor's security bulletin confirms remediation: upgrade to 2018.4.1.13 (applies to IBM DataPower Gateway), w...
CVE-2020-4831
CVE-2020-4831 affects IBM DataPower Gateway 10.0.0.0–10.0.1.0, where weaker than expected cryptographic algorithms could allow an attacker to decrypt highly sensitive information. Connected IBM advisories confirm the vulnerability in DataPower Gateway and provide remediation: upgrade to IBM DataP...
CVE-2018-1664
This CVE affects IBM DataPower Gateway and IBM DataPower Gateway CD. The vulnerability is an information disclosure where echoing of AMP management interface authorization headers exposes login credentials in browser cache. Affected products/versions include IBM DataPower Gateway 7.1.0.0–7.1.0.23...
CVE-2018-1669
CVE-2018-1669 affects IBM DataPower Gateway and DataPower Gateway CD, with XXE in XML processing. Affected: DataPower Gateway 7.1.0.0–7.1.0.23, 7.2.0.0–7.2.0.21, 7.5.0.0–7.5.0.16, 7.5.1.0–7.5.1.15, 7.5.2.0–7.5.2.15, 7.6.0.0–7.6.0.8 and CD 7.7.0.0–7.7.1.2. Impact: potential information disclosure ...
CVE-2020-4580
CVE-2020-4580 affects IBM DataPower Gateway 2018.4.1.0–2018.4.1.12, where a remote attacker could cause a denial of service by sending a specially crafted JSON request with invalid characters. IBM’s security bulletin confirms the issue and lists the affected versions, with a fix available in 2018...
CVE-2020-4992
IBM DataPower Gateway (2018.4.1.0–2018.4.1.16) is documented as vulnerable to cross-site request forgery (CSRF). The issue enables an attacker to perform malicious, unauthorized actions transmitted from a trusted user’s session. Affected versions are fixed in 2018.4.1.17, per IBM’s security bulle...
CVE-2018-1677
The CVE-2018-1677 issue affects IBM DataPower Gateways and IBM MQ Appliance, caused by improper handling of full file systems leading to a local denial of service. Affected DataPower Gateways versions include 7.1, 7.2, 7.5, 7.5.1, 7.5.2, 7.6, and 7.7; IBM MQ Appliance is also affected. IBM has is...
CVE-2018-1421
CVE-2018-1421 affects IBM DataPower Gateways (7.1.0.0–7.1.0.21, 7.2.0.0–7.2.0.18, 7.5.0.0–7.5.0.13, 7.5.1.0–7.5.1.12, 7.5.2.0–7.5.2.12, 7.6.0.0–7.6.0.5). The issue is a XML External Entity (XXE) injection when processing XML data, allowing a remote attacker to expose sensitive information or cons...
CVE-2018-1663
CVE-2018-1663 affects IBM DataPower Gateways (versions 7.5.x, 7.6, and 2018.4). Root cause: failure to properly enable HTTP Strict Transport Security, enabling potential information disclosure via man-in-the-middle. Impact: remote attacker could obtain sensitive information. Remediation / fixes c...
CVE-2025-36373
IBM DataPower Gateway contains an information-disclosure vulnerability (CVE-2025-36373) where sensitive system information from other domains can be disclosed to an administrative user. Affected are IBM DataPower Gateway 10.6CD (10.6.1.0–10.6.5.0), 10.5.0 series (10.5.0.0–10.5.0.20), and 10.6.0 s...
CVE-2025-36375
CVE-2025-36375 affects IBM DataPower Gateway with a CSRF vulnerability. Affected versions include: 10.6CD 10.6.1.0–10.6.5.0 , 10.5.0 10.5.0.0–10.5.0.20 , and 10.6.0 10.6.0.0–10.6.0.8 . Root cause: failure to properly validate the source of a request, enabling an attacker to induce a user to perfo...