CVE-2022-40228
published 2022-11-22CVE-2022-40228: IBM DataPower Gateway 10.0.3.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.9, 2018.4.1.0 through 2018.4.1.22, and 10.5.0.0 through 10.5.0.2 does not invalidate…
medium5.4CVSS 3.1
AVNACLPRLUINSUCLILAN
IBM DataPower Gateway 10.0.3.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.9, 2018.4.1.0 through 2018.4.1.22, and 10.5.0.0 through 10.5.0.2 does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 235527.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ibm | datapower_gateway | >= 10.0.1.0 < 10.0.1.9 | 10.0.1.9 |
| ibm | datapower_gateway | 10.0.1.0 – 10.0.1.9 | — |
| ibm | datapower_gateway | >= 10.0.3.0 < 10.0.4.0 | 10.0.4.0 |
| ibm | datapower_gateway | 10.0.3.0 – 10.0.4.0 | — |
| ibm | datapower_gateway | >= 10.5.0.0 < 10.5.0.2 | 10.5.0.2 |
| ibm | datapower_gateway | 10.5.0.0 – 10.5.0.2 | — |
| ibm | datapower_gateway | >= 2018.4.1.0 < 2018.4.1.22 | 2018.4.1.22 |
| ibm | datapower_gateway | 2018.4.1.0 – 2018.4.1.22 | — |