Details of VAR-202106-0716

ID

VAR-202106-0716

CVE

CVE-2020-5008

TITLE

IBM DataPower Gateway Vulnerability in insecure storage of important information in

Trust: 0.8

sources: JVNDB: JVNDB-2021-007714

DESCRIPTION

IBM DataPower Gateway 10.0.0.0 through 10.0.1.0 and 2018.4.1.0 through 2018.4.1.14 stores sensitive information in GET request parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 193033. Vendor exploits this vulnerability IBM X-Force ID: 193033 Is published as.Information may be obtained. IBM DataPower Gateway is a security and integration platform specially designed for mobile, cloud, application programming interface (API), network, service-oriented architecture (SOA), B2B and cloud workloads. The platform secures, integrates and optimizes access across channels with a dedicated gateway platform

Trust: 1.71

sources: NVD: CVE-2020-5008 // JVNDB: JVNDB-2021-007714 // VULHUB: VHN-183133

AFFECTED PRODUCTS

vendor:	ibm	model:	datapower gateway	scope:	lte	version:	2018.4.1.14	Trust: 1.0
vendor:	ibm	model:	datapower gateway	scope:	lte	version:	10.0.1.0	Trust: 1.0
vendor:	ibm	model:	datapower gateway	scope:	gte	version:	2018.4.1.0	Trust: 1.0
vendor:	ibm	model:	datapower gateway	scope:	gte	version:	10.0.0.0	Trust: 1.0
vendor:	ibm	model:	datapower gateway	scope:	eq	version:	10.0.0.0 to 10.0.1.0	Trust: 0.8
vendor:	ibm	model:	datapower gateway	scope:	eq	version:	2018.4.1.0 to 2018.4.1.14	Trust: 0.8
vendor:	ibm	model:	datapower gateway	scope:	eq	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2021-007714 // NVD: CVE-2020-5008

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-5008
value:	MEDIUM
Trust: 1.0
psirt@us.ibm.com:	CVE-2020-5008
value:	LOW
Trust: 1.0
NVD:	CVE-2020-5008
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202106-345
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-183133
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2020-5008
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-183133
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-5008
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	1.4
version:	3.1
Trust: 1.0
psirt@us.ibm.com:	CVE-2020-5008
baseSeverity:	LOW
baseScore:	3.7
vectorString:	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.2
impactScore:	1.4
version:	3.0
Trust: 1.0
NVD:	CVE-2020-5008
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-183133 // JVNDB: JVNDB-2021-007714 // CNNVD: CNNVD-202106-345 // NVD: CVE-2020-5008 // NVD: CVE-2020-5008

PROBLEMTYPE DATA

problemtype:	CWE-922	Trust: 1.0
problemtype:	Insecure storage of important information (CWE-922) [NVD Evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-007714 // NVD: CVE-2020-5008

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202106-345

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202106-345

PATCH

title:	6459681 IBM X-Force Exchange	url:	https://www.ibm.com/support/pages/node/6459681	Trust: 0.8
title:	IBM DataPower Gateway Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=153904	Trust: 0.6

sources: JVNDB: JVNDB-2021-007714 // CNNVD: CNNVD-202106-345

EXTERNAL IDS

db:	NVD	id:	CVE-2020-5008	Trust: 3.3
db:	JVNDB	id:	JVNDB-2021-007714	Trust: 0.8
db:	CNNVD	id:	CNNVD-202106-345	Trust: 0.7
db:	AUSCERT	id:	ESB-2021.3352	Trust: 0.6
db:	VULHUB	id:	VHN-183133	Trust: 0.1

sources: VULHUB: VHN-183133 // JVNDB: JVNDB-2021-007714 // CNNVD: CNNVD-202106-345 // NVD: CVE-2020-5008

REFERENCES

url:	https://www.ibm.com/support/pages/node/6459681	Trust: 1.7
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/193033	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2020-5008	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/esb-2021.3352	Trust: 0.6
url:	https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-gui-permits-use-of-get/	Trust: 0.6
url:	https://www.ibm.com/support/pages/node/6466727	Trust: 0.6
url:	https://vigilance.fr/vulnerability/ibm-mq-appliance-information-disclosure-via-ibm-datapower-gateway-36615	Trust: 0.6

sources: VULHUB: VHN-183133 // JVNDB: JVNDB-2021-007714 // CNNVD: CNNVD-202106-345 // NVD: CVE-2020-5008

SOURCES

db:	VULHUB	id:	VHN-183133
db:	JVNDB	id:	JVNDB-2021-007714
db:	CNNVD	id:	CNNVD-202106-345
db:	NVD	id:	CVE-2020-5008

LAST UPDATE DATE

2024-08-14T13:43:31.863000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-183133	date:	2021-06-10T00:00:00
db:	JVNDB	id:	JVNDB-2021-007714	date:	2022-02-21T09:07:00
db:	CNNVD	id:	CNNVD-202106-345	date:	2021-10-09T00:00:00
db:	NVD	id:	CVE-2020-5008	date:	2021-06-10T18:03:10.970

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-183133	date:	2021-06-07T00:00:00
db:	JVNDB	id:	JVNDB-2021-007714	date:	2022-02-21T00:00:00
db:	CNNVD	id:	CNNVD-202106-345	date:	2021-06-04T00:00:00
db:	NVD	id:	CVE-2020-5008	date:	2021-06-07T14:15:07.717