Sign-up

ID

VAR-201809-0549


CVE

CVE-2018-1669


TITLE

IBM DataPower Gateway and DataPower Gateway CD In XML External entity vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2018-010240

DESCRIPTION

IBM DataPower Gateway 7.1.0.0 - 7.1.0.23, 7.2.0.0 - 7.2.0.21, 7.5.0.0 - 7.5.0.16, 7.5.1.0 - 7.5.1.15, 7.5.2.0 - 7.5.2.15, and 7.6.0.0 - 7.6.0.8 as well as IBM DataPower Gateway CD 7.7.0.0 - 7.7.1.2 are vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 144950. Vendors have confirmed this vulnerability IBM X-Force ID: 144950 It is released as.Information is obtained and service operation is interrupted (DoS) There is a possibility of being put into a state. IBM DataPower Gateways is a set of security and integration platforms designed for mobile, cloud, application programming interface (API), network, service-oriented architecture (SOA), B2B and cloud workloads from IBM Corporation of the United States, which can utilize dedicated gateways The platform secures, integrates and optimizes access across channels. Version 2.0 to version 7.5.2.15, version 7.6.0.0 to version 7.6.0.8, IBM DataPower Gateway CD version 7.7.0.0 to version 7.7.1.2

Trust: 1.98

sources: NVD: CVE-2018-1669 // JVNDB: JVNDB-2018-010240 // BID: 107853 // VULHUB: VHN-127074

AFFECTED PRODUCTS

vendor:ibmmodel:datapower gatewayscope:lteversion:7.5.0.16

Trust: 1.0

vendor:ibmmodel:datapower gatewayscope:gteversion:7.2.0.0

Trust: 1.0

vendor:ibmmodel:datapower gatewayscope:lteversion:7.6.0.8

Trust: 1.0

vendor:ibmmodel:datapower gatewayscope:lteversion:7.5.2.15

Trust: 1.0

vendor:ibmmodel:datapower gatewayscope:gteversion:7.7.0.0

Trust: 1.0

vendor:ibmmodel:datapower gatewayscope:lteversion:7.1.0.23

Trust: 1.0

vendor:ibmmodel:datapower gatewayscope:gteversion:7.5.2.0

Trust: 1.0

vendor:ibmmodel:datapower gatewayscope:lteversion:7.2.0.21

Trust: 1.0

vendor:ibmmodel:datapower gatewayscope:lteversion:7.5.1.15

Trust: 1.0

vendor:ibmmodel:datapower gatewayscope:gteversion:7.1.0.0

Trust: 1.0

vendor:ibmmodel:datapower gatewayscope:gteversion:7.6.0.0

Trust: 1.0

vendor:ibmmodel:datapower gatewayscope:lteversion:7.7.1.2

Trust: 1.0

vendor:ibmmodel:datapower gatewayscope:gteversion:7.5.1.0

Trust: 1.0

vendor:ibmmodel:datapower gatewayscope:gteversion:7.5.0.0

Trust: 1.0

vendor:ibmmodel:datapower gatewayscope:eqversion:7.2.0.0

Trust: 0.9

vendor:ibmmodel:datapower gatewayscope:eqversion:7.1.0.0 to 7.1.0.23

Trust: 0.8

vendor:ibmmodel:datapower gatewayscope:eqversion:7.2.0.0 to 7.2.0.21

Trust: 0.8

vendor:ibmmodel:datapower gatewayscope:eqversion:7.5.0.0 to 7.5.0.16

Trust: 0.8

vendor:ibmmodel:datapower gatewayscope:eqversion:7.5.1.0 to 7.5.1.15

Trust: 0.8

vendor:ibmmodel:datapower gatewayscope:eqversion:7.5.2.0 to 7.5.2.15

Trust: 0.8

vendor:ibmmodel:datapower gatewayscope:eqversion:7.6.0.0 to 7.6.0.8

Trust: 0.8

vendor:ibmmodel:datapower gatewayscope:eqversion:cd 7.7.0.0 to 7.7.1.2

Trust: 0.8

vendor:ibmmodel:datapower gatewayscope:eqversion:7.7.1.2

Trust: 0.6

vendor:ibmmodel:datapower gatewayscope:eqversion:7.7.1.0

Trust: 0.6

vendor:ibmmodel:datapower gatewayscope:eqversion:7.7.0.0

Trust: 0.6

vendor:ibmmodel:datapower gatewayscope:eqversion:7.7.1.1

Trust: 0.6

vendor:ibmmodel:datapower gateway cdscope:eqversion:7.7.1.2

Trust: 0.3

vendor:ibmmodel:datapower gateway cdscope:eqversion:7.7.0.0

Trust: 0.3

vendor:ibmmodel:datapower gatewayscope:eqversion:7.6.0.8

Trust: 0.3

vendor:ibmmodel:datapower gatewayscope:eqversion:7.6.0.0

Trust: 0.3

vendor:ibmmodel:datapower gatewayscope:eqversion:7.5.2.15

Trust: 0.3

vendor:ibmmodel:datapower gatewayscope:eqversion:7.5.2.10

Trust: 0.3

vendor:ibmmodel:datapower gatewayscope:eqversion:7.5.2.0

Trust: 0.3

vendor:ibmmodel:datapower gatewayscope:eqversion:7.5.1.15

Trust: 0.3

vendor:ibmmodel:datapower gatewayscope:eqversion:7.5.1.10

Trust: 0.3

vendor:ibmmodel:datapower gatewayscope:eqversion:7.5.1.1

Trust: 0.3

vendor:ibmmodel:datapower gatewayscope:eqversion:7.5.1.0

Trust: 0.3

vendor:ibmmodel:datapower gatewayscope:eqversion:7.5.0.16

Trust: 0.3

vendor:ibmmodel:datapower gatewayscope:eqversion:7.5.0.11

Trust: 0.3

vendor:ibmmodel:datapower gatewayscope:eqversion:7.5.0.1

Trust: 0.3

vendor:ibmmodel:datapower gatewayscope:eqversion:7.5.0.0

Trust: 0.3

vendor:ibmmodel:datapower gatewayscope:eqversion:7.2.0.8

Trust: 0.3

vendor:ibmmodel:datapower gatewayscope:eqversion:7.2.0.6

Trust: 0.3

vendor:ibmmodel:datapower gatewayscope:eqversion:7.2.0.4

Trust: 0.3

vendor:ibmmodel:datapower gatewayscope:eqversion:7.2.0.3

Trust: 0.3

vendor:ibmmodel:datapower gatewayscope:eqversion:7.2.0.21

Trust: 0.3

vendor:ibmmodel:datapower gatewayscope:eqversion:7.2.0.17

Trust: 0.3

vendor:ibmmodel:datapower gatewayscope:eqversion:7.1.0.9

Trust: 0.3

vendor:ibmmodel:datapower gatewayscope:eqversion:7.1.0.8

Trust: 0.3

vendor:ibmmodel:datapower gatewayscope:eqversion:7.1.0.7

Trust: 0.3

vendor:ibmmodel:datapower gatewayscope:eqversion:7.1.0.5

Trust: 0.3

vendor:ibmmodel:datapower gatewayscope:eqversion:7.1.0.4

Trust: 0.3

vendor:ibmmodel:datapower gatewayscope:eqversion:7.1.0.3

Trust: 0.3

vendor:ibmmodel:datapower gatewayscope:eqversion:7.1.0.23

Trust: 0.3

vendor:ibmmodel:datapower gatewayscope:eqversion:7.1.0.22

Trust: 0.3

vendor:ibmmodel:datapower gatewayscope:eqversion:7.1.0.20

Trust: 0.3

vendor:ibmmodel:datapower gatewayscope:eqversion:7.1.0.2

Trust: 0.3

vendor:ibmmodel:datapower gatewayscope:eqversion:7.1.0.19

Trust: 0.3

vendor:ibmmodel:datapower gatewayscope:eqversion:7.1.0.18

Trust: 0.3

vendor:ibmmodel:datapower gatewayscope:eqversion:7.1.0.15

Trust: 0.3

vendor:ibmmodel:datapower gatewayscope:eqversion:7.1.0.14

Trust: 0.3

vendor:ibmmodel:datapower gatewayscope:eqversion:7.1.0.12

Trust: 0.3

vendor:ibmmodel:datapower gatewayscope:eqversion:7.1.0.11

Trust: 0.3

vendor:ibmmodel:datapower gatewayscope:eqversion:7.1.0.10

Trust: 0.3

vendor:ibmmodel:datapower gatewayscope:eqversion:7.1.0.0

Trust: 0.3

sources: BID: 107853 // JVNDB: JVNDB-2018-010240 // CNNVD: CNNVD-201809-1098 // NVD: CVE-2018-1669

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-1669
value: HIGH

Trust: 1.0

psirt@us.ibm.com: CVE-2018-1669
value: HIGH

Trust: 1.0

NVD: CVE-2018-1669
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201809-1098
value: HIGH

Trust: 0.6

VULHUB: VHN-127074
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2018-1669
severity: MEDIUM
baseScore: 5.5
vectorString: AV:N/AC:L/AU:S/C:P/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-127074
severity: MEDIUM
baseScore: 5.5
vectorString: AV:N/AC:L/AU:S/C:P/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-1669
baseSeverity: HIGH
baseScore: 7.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: LOW
exploitabilityScore: 2.8
impactScore: 4.2
version: 3.0

Trust: 2.8

sources: VULHUB: VHN-127074 // JVNDB: JVNDB-2018-010240 // CNNVD: CNNVD-201809-1098 // NVD: CVE-2018-1669 // NVD: CVE-2018-1669

PROBLEMTYPE DATA

problemtype:CWE-611

Trust: 1.9

sources: VULHUB: VHN-127074 // JVNDB: JVNDB-2018-010240 // NVD: CVE-2018-1669

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201809-1098

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-201809-1098

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-010240

PATCH
title:0730489url:https://www-01.ibm.com/support/docview.wss?uid=ibm10730489
Trust: 0.8
title:ibm-websphere-cve20181669-info-disc (144950)url:https://exchange.xforce.ibmcloud.com/vulnerabilities/144950
Trust: 0.8
title:IBM DataPower Gateway Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=85153
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2018-010240 // 
            
            
            
            CNNVD: CNNVD-201809-1098

EXTERNAL IDS
db:NVDid:CVE-2018-1669
Trust: 2.8
db:JVNDBid:JVNDB-2018-010240
Trust: 0.8
db:CNNVDid:CNNVD-201809-1098
Trust: 0.7
db:BIDid:107853
Trust: 0.3
db:VULHUBid:VHN-127074
Trust: 0.1
sources:
            
            
            VULHUB: VHN-127074 // 
            
            
            
            BID: 107853 // 
            
            
            
            JVNDB: JVNDB-2018-010240 // 
            
            
            
            CNNVD: CNNVD-201809-1098 // 
            
            
            
            NVD: CVE-2018-1669

REFERENCES
url:https://www.ibm.com/support/docview.wss?uid=ibm10730489
Trust: 1.7
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/144950
Trust: 1.7
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-1669
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-1669
Trust: 0.8
url:http://www.ibm.com/
Trust: 0.3
url:https://www-01.ibm.com/support/docview.wss?uid=ibm10730489
Trust: 0.3
sources:
            
            
            VULHUB: VHN-127074 // 
            
            
            
            BID: 107853 // 
            
            
            
            JVNDB: JVNDB-2018-010240 // 
            
            
            
            CNNVD: CNNVD-201809-1098 // 
            
            
            
            NVD: CVE-2018-1669

CREDITS
Srinivasarao Kotipalli & Jeremy Soh
Trust: 0.3
sources:
            
            
            BID: 107853

SOURCES
db:VULHUBid:VHN-127074
db:BIDid:107853
db:JVNDBid:JVNDB-2018-010240
db:CNNVDid:CNNVD-201809-1098
db:NVDid:CVE-2018-1669

LAST UPDATE DATE
2024-11-23T22:48:34.752000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-127074date:2019-10-09T00:00:00
db:BIDid:107853date:2018-09-20T00:00:00
db:JVNDBid:JVNDB-2018-010240date:2018-12-10T00:00:00
db:CNNVDid:CNNVD-201809-1098date:2019-10-17T00:00:00
db:NVDid:CVE-2018-1669date:2024-11-21T04:00:10.480

SOURCES RELEASE DATE
db:VULHUBid:VHN-127074date:2018-09-25T00:00:00
db:BIDid:107853date:2018-09-20T00:00:00
db:JVNDBid:JVNDB-2018-010240date:2018-12-10T00:00:00
db:CNNVDid:CNNVD-201809-1098date:2018-09-26T00:00:00
db:NVDid:CVE-2018-1669date:2018-09-25T15:29:01.237