IBM has addressed the following CVEs: CVE-2020-8287, CVE-2020-8265
CVEID:CVE-2020-8287
**DESCRIPTION:**Node.js is vulnerable to HTTP request smuggling. By sending specially crafted HTTP request headers, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/194100 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
CVEID:CVE-2020-8265
**DESCRIPTION:**Node.js is vulnerable to a denial of service, caused by a use-after-free in TLSWrap within the TLS implementation. By writing to a TLS enabled socket, an attacker could exploit this vulnerability to corrupt memory and cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/194101 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Product(s) - CVE-2020-8287
| Version(s)
—|—
IBM DataPower Gateway 10.0.1| 10.0.0.0-10.0.1.3
IBM DataPower Gateway 2018.4.1| 2018.4.1.0-2018.4.1.16
IBM DataPower Gateway V10 CD| 10.0.2.0
Affected Product(s) - CVE-2020-8265
| Version(s)
—|—
IBM DataPower Gateway 10.0.1| 10.0.0.0-10.0.1.3
IBM DataPower Gateway V10 CD| 10.0.2.0
Affected Product | Fixed in Version | APAR |
---|---|---|
IBM DataPower Gateway 10.0.1 | 10.0.1.4 | IT37278 |
IBM DataPower Gateway 2018.4.1| 2018.4.1.17| IT37278
IBM DataPower Gateway V10 CD| 10.0.3.0| IT37278
None