Datapower Gateway Security Vulnerabilities and Issues — Datapower Gateway CVE List

Lucene search

IbmDatapower Gateway

38 matches found

CVE•added 2022/03/10 8:15 p.m.•92 views

CVE-2021-38910

IBM DataPower Gateway V10CD, 10.0.1, and 2108.4.1 could allow a remote attacker to bypass security restrictions, caused by the improper validation of input. By sending a specially crafted JSON message, an attacker could exploit this vulnerability to modify structure and fields. IBM X-Force ID: 2098...

5.3CVSS5.2AI score0.0032EPSS

CVE•added 2022/05/17 5:15 p.m.•70 views

CVE-2021-38872

IBM DataPower Gateway 10.0.2.0, 10.0.3.0, 10.0.1.0 through 10.0.1.4, and 2018.4.1.0 through 2018.4.1.17 could allow a remote user to cause a denial of service by consuming resources with multiple requests. IBM X-Force ID: 208348.

7.5CVSS7.2AI score0.00334EPSS

CVE•added 2022/08/01 11:15 a.m.•66 views

CVE-2022-31775

IBM DataPower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.8, 10.5.0.0, and 2018.4.1.0 through 2018.4.1.21 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or con...

9.1CVSS8.9AI score0.00024EPSS

CVE•added 2022/08/01 11:15 a.m.•65 views

CVE-2022-31776

IBM DataPower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.8, 10.5.0.0, and 2018.4.1.0 through 2018.4.1.21 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumer...

8.8CVSS8.2AI score0.00066EPSS

CVE•added 2022/05/18 8:15 p.m.•63 views

CVE-2021-38944

IBM DataPower Gateway 10.0.2.0 through 1.0.3.0, 10.0.1.0 through 10.0.1.5, and 2018.4.1.0 through 2018.4.1.18 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, in...

6.1CVSS6AI score0.00213EPSS

CVE•added 2022/08/01 11:15 a.m.•63 views

CVE-2022-22326

IBM Datapower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.5, and 2018.4.1.0 through 2018.4.1.18 could allow unauthorized viewing of logs and files due to insufficient authorization checks. IBM X-Force ID: 218856.

4CVSS3.9AI score0.00024EPSS

CVE•added 2022/11/22 7:15 p.m.•60 views

CVE-2022-40228

IBM DataPower Gateway 10.0.3.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.9, 2018.4.1.0 through 2018.4.1.22, and 10.5.0.0 through 10.5.0.2 does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 235527.

5.4CVSS4.7AI score0.00046EPSS

CVE•added 2022/08/26 6:15 p.m.•57 views

CVE-2022-31773

IBM DataPower Gateway V10CD, 10.0.1, and 2018.4.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 228357.

8.8CVSS8.4AI score0.00074EPSS

CVE•added 2022/08/01 11:15 a.m.•57 views

CVE-2022-31774

IBM DataPower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.8, 10.5.0.0, and 2018.4.1.0 through 2018.4.1.21 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leadi...

5.4CVSS5.2AI score0.00106EPSS

CVE•added 2022/08/01 11:15 a.m.•53 views

CVE-2022-32750

5.4CVSS5.2AI score0.00106EPSS

CVE•added 2019/12/09 11:15 p.m.•48 views

CVE-2019-4621

IBM DataPower Gateway 7.6.0.0-7 throug 6.0.14 and 2018.4.1.0 through 2018.4.1.5 have a default administrator account that is enabled if the IPMI LAN channel is enabled. A remote attacker could use this account to gain unauthorised access to the BMC. IBM X-Force ID: 168883.

9.8CVSS9.1AI score0.00808EPSS

CVE•added 2020/03/19 2:15 p.m.•48 views

CVE-2020-4205

IBM DataPower Gateway 2018.4.1.0 through 2018.4.1.8 could allow an authenticated user to bypass security restrictions, and continue to access the server even after authentication certificates have been revolked. IBM X-Force ID: 174961.

6.5CVSS6.3AI score0.00084EPSS

CVE•added 2021/03/08 6:15 p.m.•48 views

CVE-2020-5014

IBM DataPower Gateway V10 and V2018 could allow a local attacker with administrative privileges to execute arbitrary code on the system using a server-side requesr forgery attack. IBM X-Force ID: 193247.

6.7CVSS6.7AI score0.01253EPSS

CVE•added 2020/10/06 4:15 p.m.•47 views

CVE-2020-4528

IBM MQ Appliance (IBM DataPower Gateway 10.0.0.0 and 2018.4.1.0 through 2018.4.1.12) could allow a local user, under special conditions, to obtain highly sensitive information from log files. IBM X-Force ID: 182658.

5.9CVSS5AI score0.00046EPSS

CVE•added 2020/03/19 2:15 p.m.•46 views

CVE-2020-4203

IBM DataPower Gateway 2018.4.1.0 through 2018.4.1.8 could potentially disclose highly sensitive information to a privileged user due to improper access controls. IBM X-Force ID: 174956.

4.9CVSS4.8AI score0.00266EPSS

CVE•added 2018/12/20 2:29 p.m.•45 views

CVE-2018-1661

IBM DataPower Gateways 7.5, 7.5.1, 7.5.2, and 7.6 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 144887.

8.8CVSS8.4AI score0.00155EPSS

CVE•added 2018/12/13 4:29 p.m.•45 views

CVE-2018-1667

IBM DataPower Gateway 7.6.0.0 through 7.6.0.10, 7.5.2.0 through 7.5.2.17, 7.5.1.0 through 7.5.1.17, 7.5.0.0 through 7.5.0.18, and 7.7.0.0 through 7.7.1.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intende...

5.4CVSS5.2AI score0.00111EPSS

CVE•added 2022/05/17 5:15 p.m.•45 views

CVE-2020-4994

IBM DataPower Gateway 10.0.1.0 through 10.0.1.4 and 2018.4.1.0 through 2018.4.1.17 could allow a remote user to cause a temporary denial of service by sending invalid HTTP requests. IBM X-Force ID: 192906.

7.5CVSS7.2AI score0.00426EPSS

CVE•added 2021/06/07 2:15 p.m.•45 views

CVE-2020-5008

IBM DataPower Gateway 10.0.0.0 through 10.0.1.0 and 2018.4.1.0 through 2018.4.1.14 stores sensitive information in GET request parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 193...

5.3CVSS4.9AI score0.00147EPSS

CVE•added 2017/09/28 1:29 a.m.•42 views

CVE-2017-1591

IBM WebSphere DataPower Appliances 7.0.0 through 7.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force I...

6.1CVSS5.8AI score0.00282EPSS

CVE•added 2019/02/07 4:0 p.m.•42 views

CVE-2018-1666

IBM DataPower Gateway 2018.4.1.0, 7.6.0.0 through 7.6.0.11, 7.5.2.0 through 7.5.2.18, 7.5.1.0 through 7.5.1.18, 7.5.0.0 through 7.5.0.19, and 7.7.0.0 through 7.7.1.3 could allow an authenticated user to inject arbitrary messages that would be displayed on the UI. IBM X-Force ID: 144892.

4.3CVSS4.4AI score0.00165EPSS

CVE•added 2019/08/20 7:15 p.m.•42 views

CVE-2019-4294

IBM DataPower Gateway 2018.4.1.0 through 2018.4.1.6, 7.6.0.0 through 7.6.0.15 and IBM MQ Appliance 8.0.0.0 through 8.0.0.12, 9.1.0.0 through 9.1.0.2, and 9.1.1 through 9.1.2 could allow a local attacker to execute arbitrary commands on the system, caused by a command injection vulnerability. IBM X-...

8.4CVSS7.9AI score0.001EPSS

CVE•added 2015/11/08 10:59 p.m.•41 views

CVE-2015-7412

The GatewayScript modules on IBM DataPower Gateways with software 7.2.0.x before 7.2.0.1, when the GatewayScript decryption API or a JWE decrypt action is enabled, do not require signed ciphertext data, which makes it easier for remote attackers to obtain plaintext data via a padding-oracle attack.

2.6CVSS6.5AI score0.00212EPSS

CVE•added 2018/12/11 4:29 p.m.•41 views

CVE-2018-1652

IBM DataPower Gateway 7.1.0.0 through 7.1.0.19, 7.2.0.0 through 7.2.0.16, 7.5.0.0 through 7.5.0.10, 7.5.1.0 through 7.5.1.9, 7.5.2.0 through 7.5.2.9, and 7.6.0.0 through 7.6.0.2 and IBM MQ Appliance 8.0.0.0 through 8.0.0.8 and 9.0.1 through 9.0.5 could allow a local user to cause a denial of servic...

6.2CVSS5.2AI score0.0005EPSS

CVE•added 2018/01/31 3:29 p.m.•40 views

CVE-2017-1773

IBM DataPower Gateways 7.1, 7,2, 7.5, and 7.6 could allow an attacker using man-in-the-middle techniques to spoof DNS responses to perform DNS cache poisoning and redirect Internet traffic. IBM X-Force ID: 136817.

4.3CVSS4.1AI score0.00107EPSS

CVE•added 2019/01/29 4:29 p.m.•40 views

CVE-2018-1668

IBM DataPower Gateway 7.5.0.0 through 7.5.0.19, 7.5.1.0 through 7.5.1.18, 7.5.2.0 through 7.5.2.18, and 7.6.0.0 through 7.6.0.11 appliances allows "null" logins which could give read access to IPMI data to obtain sensitive information. IBM X-Force ID: 144894.

7.5CVSS6.9AI score0.00154EPSS

CVE•added 2020/09/21 3:15 p.m.•40 views

CVE-2020-4581

IBM DataPower Gateway 2018.4.1.0 through 2018.4.1.12 could allow a remote attacker to cause a denial of service by sending a chunked transfer-encoding HTTP/2 request. IBM X-Force ID: 184441.

7.5CVSS7.3AI score0.00729EPSS

CVE•added 2015/11/14 3:59 a.m.•38 views

CVE-2015-7427

IBM DataPower Gateway appliances with firmware 6.x before 6.0.0.17, 6.0.1.x before 6.0.1.17, 7.x before 7.0.0.10, 7.1.0.x before 7.1.0.7, and 7.2.x before 7.2.0.1 do not set the secure flag for unspecified cookies in an https session, which makes it easier for remote attackers to capture these cook...

5CVSS6.7AI score0.00225EPSS

CVE•added 2018/12/13 4:29 p.m.•38 views

CVE-2018-1665

IBM DataPower Gateway 7.6.0.0 through 7.6.0.10, 7.5.2.0 through 7.5.2.17, 7.5.1.0 through 7.5.1.17, 7.5.0.0 through 7.5.0.18, and 7.7.0.0 through 7.7.1.3 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 144891.

7.5CVSS7.2AI score0.00096EPSS

CVE•added 2021/08/17 2:15 p.m.•38 views

CVE-2020-4992

IBM DataPower Gateway 2018.4.1.0 through 2018.4.1.16 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 192737.

6.5CVSS6.4AI score0.00103EPSS

CVE•added 2018/09/25 4:0 p.m.•37 views

CVE-2018-1664

IBM DataPower Gateway 7.1.0.0 - 7.1.0.23, 7.2.0.0 - 7.2.0.21, 7.5.0.0 - 7.5.0.16, 7.5.1.0 - 7.5.1.15, 7.5.2.0 - 7.5.2.15, and 7.6.0.0 - 7.6.0.8 as well as IBM DataPower Gateway CD 7.7.0.0 - 7.7.1.2 echoing of AMP management interface authorization headers exposes login credentials in browser cache....

7.8CVSS7.3AI score0.00043EPSS

CVE•added 2020/09/21 3:15 p.m.•37 views

CVE-2020-4579

IBM DataPower Gateway 2018.4.1.0 through 2018.4.1.12 could allow a remote attacker to cause a denial of service by sending a specially crafted HTTP/2 request with invalid characters. IBM X-Force ID: 184438.

7.5CVSS7.3AI score0.01612EPSS

CVE•added 2021/03/12 5:15 p.m.•37 views

CVE-2020-4831

IBM DataPower Gateway 10.0.0.0 through 10.0.1.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 189965.

7.5CVSS7.2AI score0.00112EPSS

CVE•added 2018/12/07 4:29 p.m.•34 views

CVE-2018-1663

IBM DataPower Gateways 7.5, 7.5.1, 7.5.2, 7.6, and 2018.4 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle tech...

5.9CVSS5.4AI score0.00279EPSS

CVE•added 2018/09/25 4:0 p.m.•34 views

CVE-2018-1669

IBM DataPower Gateway 7.1.0.0 - 7.1.0.23, 7.2.0.0 - 7.2.0.21, 7.5.0.0 - 7.5.0.16, 7.5.1.0 - 7.5.1.15, 7.5.2.0 - 7.5.2.15, and 7.6.0.0 - 7.6.0.8 as well as IBM DataPower Gateway CD 7.7.0.0 - 7.7.1.2 are vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote att...

7.1CVSS6.8AI score0.00403EPSS

CVE•added 2018/12/20 2:29 p.m.•34 views

CVE-2018-1677

IBM DataPower Gateways 7.1, 7.2, 7.5, 7.5.1, 7.5.2, 7.6, and 7.7 and IBM MQ Appliance are vulnerable to a denial of service, caused by the improper handling of full file system. A local attacker could exploit this vulnerability to cause a denial of service. IBM X-Force ID: 145171.

5.5CVSS5.3AI score0.0005EPSS

CVE•added 2020/09/21 3:15 p.m.•33 views

CVE-2020-4580

IBM DataPower Gateway 2018.4.1.0 through 2018.4.1.12 could allow a remote attacker to cause a denial of service by sending a specially crafted a JSON request with invalid characters. IBM X-Force ID: 184439.

7.5CVSS7.3AI score0.00729EPSS

CVE•added 2018/04/04 6:29 p.m.•32 views

CVE-2018-1421

IBM WebSphere DataPower Appliances 7.1, 7.2, 7.5, 7.5.1, 7.5.2, and 7.6 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 139023.

7.1CVSS6.8AI score0.00323EPSS