6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
0.003 Low
EPSS
Percentile
66.0%
This issue may affect the management interface for the API Connect Gateway Service. IBM has addressed the CVE.
CVEID:CVE-2022-35256
**DESCRIPTION:**Node.js is vulnerable to HTTP request smuggling, caused by the failure to correctly handle header fields that are not terminated with CLRF by the llhttp parser in the http module. A remote attacker could send a specially-crafted request to lead to HTTP Request Smuggling (HRS). An attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/236964 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
Affected Product(s) | Version(s) |
---|---|
IBM DataPower Gateway V10CD | 10.0.4.0 - 10.0.4.0sr2 |
IBM DataPower Gateway 10.0.1 | 10.0.1.0 - 10.0.1.10 |
IBM DataPower Gateway 10.5.0 | 10.5.0.0 - 10.0.5.2 |
Affected Product | Fixed in version | APAR |
---|---|---|
IBM DataPower Gateway 10.0.1 | 10.0.1.11 | IT42543 |
IBM DataPower Gateway 10.5.0 | 10.5.0.3 | IT42543 |
Customers running V10CD may upgrade free of charge to version 10.5.0. The fix will also be available in the next V10CD security refresh |
None
CPE | Name | Operator | Version |
---|---|---|---|
ibm datapower gateway | eq | 10.0.1 | |
ibm datapower gateway | eq | 10.5.0 | |
ibm datapower gateway | eq | 10 |
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
0.003 Low
EPSS
Percentile
66.0%