First published: Tue Sep 25 2018(Updated: )
IBM DataPower Gateway 7.1.0.0 - 7.1.0.23, 7.2.0.0 - 7.2.0.21, 7.5.0.0 - 7.5.0.16, 7.5.1.0 - 7.5.1.15, 7.5.2.0 - 7.5.2.15, and 7.6.0.0 - 7.6.0.8 as well as IBM DataPower Gateway CD 7.7.0.0 - 7.7.1.2 echoing of AMP management interface authorization headers exposes login credentials in browser cache. IBM X-Force ID: 144890.
Credit: psirt@us.ibm.com
Affected Software | Affected Version | How to fix |
---|---|---|
IBM DataPower Gateway | >=7.1.0.0<=7.1.0.23 | |
IBM DataPower Gateway | >=7.2.0.0<=7.2.0.21 | |
IBM DataPower Gateway | >=7.5.0.0<=7.5.0.16 | |
IBM DataPower Gateway | >=7.5.1.0<=7.5.1.15 | |
IBM DataPower Gateway | >=7.5.2.0<=7.5.2.15 | |
IBM DataPower Gateway | >=7.6.0.0<=7.6.0.8 | |
IBM DataPower Gateway | >=7.7.0.0<=7.7.1.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2018-1664 is high with a CVSS score of 7.8.
To fix CVE-2018-1664, apply the necessary patches provided by IBM for the affected versions of DataPower Gateway.
IBM DataPower Gateway versions 7.1.0.0 - 7.1.0.23, 7.2.0.0 - 7.2.0.21, 7.5.0.0 - 7.5.0.16, 7.5.1.0 - 7.5.1.15, 7.5.2.0 - 7.5.2.15, 7.6.0.0 - 7.6.0.8, and IBM DataPower Gateway CD versions 7.7.0.0 - 7.7.1.2 are affected by CVE-2018-1664.
CVE-2018-1664 is a vulnerability in IBM DataPower Gateway that allows the exposure of login credentials in the browser cache through the echoing of AMP management interface authorization headers.
You can find more information about CVE-2018-1664 in the IBM X-Force Exchange vulnerability database and the IBM support documentation.