Sign-up

ID

VAR-202205-1565


CVE

CVE-2021-38944


TITLE

IBM DataPower Gateway  Cross-site scripting vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2022-010961

DESCRIPTION

IBM DataPower Gateway 10.0.2.0 through 1.0.3.0, 10.0.1.0 through 10.0.1.5, and 2018.4.1.0 through 2018.4.1.18 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM X-Force ID: 211236. IBM DataPower Gateway Exists in a cross-site scripting vulnerability. Vendor exploits this vulnerability IBM X-Force ID: 211236 It is published as.Information may be obtained and information may be tampered with. IBM DataPower Gateway is a security and integration platform specially designed for mobile, cloud, application programming interface (API), network, service-oriented architecture (SOA), B2B and cloud workloads. The platform secures, integrates and optimizes access across channels with a dedicated gateway platform

Trust: 1.8

sources: NVD: CVE-2021-38944 // JVNDB: JVNDB-2022-010961 // VULHUB: VHN-400525 // VULMON: CVE-2021-38944

AFFECTED PRODUCTS

vendor:ibmmodel:datapower gatewayscope:gteversion:10.0.1.0

Trust: 1.0

vendor:ibmmodel:datapower gatewayscope:lteversion:10.0.3.0

Trust: 1.0

vendor:ibmmodel:datapower gatewayscope:lteversion:2018.4.1.18

Trust: 1.0

vendor:ibmmodel:datapower gatewayscope:gteversion:2018.4.1.0

Trust: 1.0

vendor:ibmmodel:datapower gatewayscope:gteversion:10.0.2.0

Trust: 1.0

vendor:ibmmodel:datapower gatewayscope:lteversion:10.0.1.5

Trust: 1.0

vendor:ibmmodel:datapower gatewayscope:eqversion: -

Trust: 0.8

vendor:ibmmodel:datapower gatewayscope:eqversion:10.0.2.0 to 1.0.3.0

Trust: 0.8

vendor:ibmmodel:datapower gatewayscope:eqversion:10.0.1.0 to 10.0.1.5

Trust: 0.8

vendor:ibmmodel:datapower gatewayscope:eqversion:2018.4.1.0 to 2018.4.1.18

Trust: 0.8

sources: JVNDB: JVNDB-2022-010961 // NVD: CVE-2021-38944

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-38944
value: MEDIUM

Trust: 1.0

psirt@us.ibm.com: CVE-2021-38944
value: MEDIUM

Trust: 1.0

NVD: CVE-2021-38944
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202205-3730
value: MEDIUM

Trust: 0.6

VULHUB: VHN-400525
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2021-38944
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-400525
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2021-38944
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.1

Trust: 1.0

psirt@us.ibm.com: CVE-2021-38944
baseSeverity: MEDIUM
baseScore: 4.8
vectorString: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.2
impactScore: 2.5
version: 3.0

Trust: 1.0

NVD: CVE-2021-38944
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-400525 // JVNDB: JVNDB-2022-010961 // CNNVD: CNNVD-202205-3730 // NVD: CVE-2021-38944 // NVD: CVE-2021-38944

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.1

problemtype:Cross-site scripting (CWE-79) [NVD evaluation ]

Trust: 0.8

sources: VULHUB: VHN-400525 // JVNDB: JVNDB-2022-010961 // NVD: CVE-2021-38944

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202205-3730

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202205-3730

PATCH

title:6587070 IBM X-Force Exchangeurl:https://www.ibm.com/support/pages/node/6587070

Trust: 0.8

title:IBM DataPower Gateway Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=194341

Trust: 0.6

sources: JVNDB: JVNDB-2022-010961 // CNNVD: CNNVD-202205-3730

EXTERNAL IDS

db:NVDid:CVE-2021-38944

Trust: 3.4

db:JVNDBid:JVNDB-2022-010961

Trust: 0.8

db:CNNVDid:CNNVD-202205-3730

Trust: 0.7

db:CNVDid:CNVD-2022-41642

Trust: 0.1

db:VULHUBid:VHN-400525

Trust: 0.1

db:VULMONid:CVE-2021-38944

Trust: 0.1

sources: VULHUB: VHN-400525 // VULMON: CVE-2021-38944 // JVNDB: JVNDB-2022-010961 // CNNVD: CNNVD-202205-3730 // NVD: CVE-2021-38944

REFERENCES

url:https://www.ibm.com/support/pages/node/6587070

Trust: 1.8

url:https://exchange.xforce.ibmcloud.com/vulnerabilities/211236

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2021-38944

Trust: 0.8

url:https://cxsecurity.com/cveshow/cve-2021-38944/

Trust: 0.6

url:https://nvd.nist.gov

Trust: 0.1

sources: VULHUB: VHN-400525 // VULMON: CVE-2021-38944 // JVNDB: JVNDB-2022-010961 // CNNVD: CNNVD-202205-3730 // NVD: CVE-2021-38944

SOURCES

db:VULHUBid:VHN-400525
db:VULMONid:CVE-2021-38944
db:JVNDBid:JVNDB-2022-010961
db:CNNVDid:CNNVD-202205-3730
db:NVDid:CVE-2021-38944

LAST UPDATE DATE

2024-08-14T15:42:25.108000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-400525date:2022-05-26T00:00:00
db:VULMONid:CVE-2021-38944date:2022-05-18T00:00:00
db:JVNDBid:JVNDB-2022-010961date:2023-08-18T02:51:00
db:CNNVDid:CNNVD-202205-3730date:2022-05-30T00:00:00
db:NVDid:CVE-2021-38944date:2022-05-26T16:44:23.557

SOURCES RELEASE DATE

db:VULHUBid:VHN-400525date:2022-05-18T00:00:00
db:VULMONid:CVE-2021-38944date:2022-05-18T00:00:00
db:JVNDBid:JVNDB-2022-010961date:2023-08-18T00:00:00
db:CNNVDid:CNNVD-202205-3730date:2022-05-18T00:00:00
db:NVDid:CVE-2021-38944date:2022-05-18T20:15:08.107