CVE-2019-4621 — Initialization of a Resource with an Insecure Default in IBM Datapower Gateway

CWE-1188 — Initialization of a Resource with an Insecure Default4 documents4 sources

Severity

9.8CRITICALNVD

EPSS

0.8%

top 25.77%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

IBM Datapower Gateway

Timeline

PublishedDec 9

Latest updateMay 24

Description

IBM DataPower Gateway 7.6.0.0-7 throug 6.0.14 and 2018.4.1.0 through 2018.4.1.5 have a default administrator account that is enabled if the IPMI LAN channel is enabled. A remote attacker could use this account to gain unauthorised access to the BMC. IBM X-Force ID: 168883.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDibm/datapower_gateway7.6.0.0 — 7.6.0.14+1

▶CVEListV5ibm/datapower_gateway4 versions+3

🔴Vulnerability Details

GHSA

GHSA-3r7q-rhw3-rmxq: IBM DataPower Gateway 7↗2022-05-24

▶

CVEList

CVE-2019-4621: IBM DataPower Gateway 7↗2019-12-09

▶

💬Community

Bugzilla

CVE-2019-12222 SDL: out-of-bounds read in function SDL_InvalidateMap in video/SDL_pixels.c↗2019-07-23

▶