Detections
Analytics

IBM DataPower Gateway Security Bypass

critical Nessus Plugin ID 138763

Language:

Synopsis

A web application running on the remote host is affected by a security bypass vulnerability.

Description

According to its self-reported version, the IBM DataPower Gateway running on the remote host is affected by a security bypass vulnerability due to a default account that is present if the IPMI LAN channel is enabled. A remote attacker could use this account to gain unauthorised access to the BMC.

Solution

Refer to the vendor advisory for patch details.

See Also

https://exchange.xforce.ibmcloud.com/vulnerabilities/168883

Plugin Details

Severity: Critical

ID: 138763

File Name: ibm_datapower_cve-2019-4621.nasl

Version: 1.2

Type: remote

Family: Misc.

Published: 7/20/2020

Updated: 7/21/2020

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2019-4621

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:ibm:datapower_gateway

Required KB Items: installed_sw/IBM DataPower Gateway

Exploit Ease: No known exploits are available

Patch Publication Date: 12/5/2019

Vulnerability Publication Date: 12/5/2019

Reference Information

CVE: CVE-2019-4621