CVE-2021-38910

IBM DataPower Gateway V10CD, 10.0.1, and 2108.4.1 could allow a remote attacker to bypass security restrictions, caused by the improper validation of input. By sending a specially crafted JSON message, an attacker could exploit this vulnerability to modify structure and fields. IBM X-Force ID: 209824.

CVSS v3 5.3 MEDIUM
CVSS v2.0 5.0 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:N/I:P/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://exchange.xforce.ibmcloud.com/vulnerabilities/209824	VDB Entry Vendor Advisory
https://www.ibm.com/support/pages/node/6562347	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:ibm:datapower_gateway::::::::
	cpe:2.3:a:ibm:datapower_gateway::::::::
	cpe:2.3:a:ibm:datapower_gateway:10.0.2.0:::::::*
	cpe:2.3:a:ibm:datapower_gateway:10.0.3.0:::::::*

History

18 Mar 2022, 17:54

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 5.0 v3 : 5.3
CPE		cpe:2.3:a:ibm:datapower_gateway:::::::: cpe:2.3:a:ibm:datapower_gateway:10.0.2.0:::::::* cpe:2.3:a:ibm:datapower_gateway:10.0.3.0:::::::*
CWE		CWE-20
First Time		Ibm datapower Gateway Ibm
References	~~(CONFIRM) https://www.ibm.com/support/pages/node/6562347 -~~	(CONFIRM) https://www.ibm.com/support/pages/node/6562347 - Vendor Advisory
References	~~(XF) https://exchange.xforce.ibmcloud.com/vulnerabilities/209824 -~~	(XF) https://exchange.xforce.ibmcloud.com/vulnerabilities/209824 - VDB Entry, Vendor Advisory

10 Mar 2022, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-03-10 20:15

Updated : 2023-12-10 14:22

NVD link : CVE-2021-38910

Mitre link : CVE-2021-38910

CVE.ORG link : CVE-2021-38910

JSON object : View

Products Affected

ibm

datapower_gateway

CWE

CWE-20

Improper Input Validation

{"id": "CVE-2021-38910", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Secondary", "source": "psirt@us.ibm.com", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.2}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2022-03-10T20:15:08.200", "references": [{"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/209824", "tags": ["VDB Entry", "Vendor Advisory"], "source": "psirt@us.ibm.com"}, {"url": "https://www.ibm.com/support/pages/node/6562347", "tags": ["Vendor Advisory"], "source": "psirt@us.ibm.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "IBM DataPower Gateway V10CD, 10.0.1, and 2108.4.1 could allow a remote attacker to bypass security restrictions, caused by the improper validation of input. By sending a specially crafted JSON message, an attacker could exploit this vulnerability to modify structure and fields. IBM X-Force ID: 209824."}, {"lang": "es", "value": "IBM DataPower Gateway versiones V10CD, 10.0.1 y 2108.4.1, podr\u00eda permitir a un atacante remoto omitir las restricciones de seguridad, causado por una comprobaci\u00f3n incorrecta de la entrada. Al enviar un mensaje JSON especialmente dise\u00f1ado, un atacante podr\u00eda explotar esta vulnerabilidad para modificar la estructura y los campos. IBM X-Force ID: 209824"}], "lastModified": "2022-03-18T17:54:53.330", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ibm:datapower_gateway:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7C242C00-2B08-4D30-8353-BC6EFF4C08BC", "versionEndIncluding": "10.0.1.5", "versionStartIncluding": "10.0.1.0"}, {"criteria": "cpe:2.3:a:ibm:datapower_gateway:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "99FA702F-1D35-4553-BBE3-A94BE958641F", "versionEndIncluding": "2018.4.1.18", "versionStartIncluding": "2018.4.1.0"}, {"criteria": "cpe:2.3:a:ibm:datapower_gateway:10.0.2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "12B6C926-133E-42AF-8FB9-4B23C3EBAF27"}, {"criteria": "cpe:2.3:a:ibm:datapower_gateway:10.0.3.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7B44C41B-CBDA-4000-9602-07D279BDEB03"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@us.ibm.com"}