CVE-2019-4294OS Command Injection in IBM Datapower Gateway

CWE-78OS Command Injection3 documents3 sources
Severity
7.8HIGHNVD
EPSS
0.1%
top 72.25%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
IBM Datapower GatewayIBM MQ Appliance
Timeline
PublishedAug 20
Latest updateMay 24

Description

IBM DataPower Gateway 2018.4.1.0 through 2018.4.1.6, 7.6.0.0 through 7.6.0.15 and IBM MQ Appliance 8.0.0.0 through 8.0.0.12, 9.1.0.0 through 9.1.0.2, and 9.1.1 through 9.1.2 could allow a local attacker to execute arbitrary commands on the system, caused by a command injection vulnerability. IBM X-Force ID: 16188.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages4 packages

NVDibm/datapower_gateway7.6.0.07.6.0.15+2
CVEListV5ibm/datapower_gateway5 versions+4
NVDibm/mq_appliance8.0.0.08.0.0.12+2
CVEListV5ibm/mq_appliance18 versions+17

🔴Vulnerability Details

2
GHSA
GHSA-82vw-2gf8-mwfr: IBM DataPower Gateway 20182022-05-24
CVEList
CVE-2019-4294: IBM DataPower Gateway 20182019-08-20
CVE-2019-4294 — OS Command Injection in IBM | cvebase