Jeremy Soh

**Name of the Vulnerable Software and Affected Versions** IBM DataPower Gateway versions 7.5.0.0 through 7.5.0.19 IBM DataPower Gateway versions 7.5.1.0 through 7.5.1.18 IBM DataPower Gateway versions 7.5.2.0 through 7.5.2.18 IBM DataPower Gateway versions 7.6.0.0 through 7.6.0.11 IBM DataPower Gateway versions 7.7.0.0 through 7.7.1.3 IBM DataPower Gateway version 2018.4.1.0 **Description** The issue allows an authenticated user to inject arbitrary messages that would be displayed on the UI. **Recommendations** For IBM DataPower Gateway version 2018.4.1.0, update to a version that fixes this issue. For IBM DataPower Gateway versions 7.5.0.0 through 7.5.0.19, update to a version that fixes this issue. For IBM DataPower Gateway versions 7.5.1.0 through 7.5.1.18, update to a version that fixes this issue. For IBM DataPower Gateway versions 7.5.2.0 through 7.5.2.18, update to a version that fixes this issue. For IBM DataPower Gateway versions 7.6.0.0 through 7.6.0.11, update to a version that fixes this issue. For IBM DataPower Gateway versions 7.7.0.0 through 7.7.1.3, update to a version that fixes this issue.

**Name of the Vulnerable Software and Affected Versions** IBM DataPower Gateway versions 7.5.0.0 through 7.5.2.18 IBM DataPower Gateway versions 7.6.0.0 through 7.6.0.11 **Description** The issue allows "null" logins, which could give read access to IPMI data, potentially leading to the exposure of sensitive information. **Recommendations** For IBM DataPower Gateway versions 7.5.0.0 through 7.5.2.18, update to a version outside of the affected range to prevent "null" logins and restrict access to IPMI data. For IBM DataPower Gateway versions 7.6.0.0 through 7.6.0.11, update to a version outside of the affected range to prevent "null" logins and restrict access to IPMI data. As a temporary workaround, consider restricting access to IPMI data until a patch is available.

**Name of the Vulnerable Software and Affected Versions** IBM DataPower Gateways versions 7.5 through 7.6 **Description** The issue allows an attacker to execute malicious and unauthorized actions by exploiting cross-site request forgery. This could be done by transmitting malicious requests from a user that the website trusts. **Recommendations** For IBM DataPower Gateways versions 7.5 through 7.6, update to a version that includes a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** IBM DataPower Gateway versions 7.5.0.0 through 7.5.0.18 IBM DataPower Gateway versions 7.5.1.0 through 7.5.1.17 IBM DataPower Gateway versions 7.5.2.0 through 7.5.2.17 IBM DataPower Gateway versions 7.6.0.0 through 7.6.0.10 IBM DataPower Gateway versions 7.7.0.0 through 7.7.1.3 **Description** The issue allows users to embed arbitrary JavaScript code in the Web UI, altering the intended functionality and potentially leading to credentials disclosure within a trusted session. **Recommendations** For versions 7.5.0.0 through 7.5.0.18, update to a fixed version to resolve the issue. For versions 7.5.1.0 through 7.5.1.17, update to a fixed version to resolve the issue. For versions 7.5.2.0 through 7.5.2.17, update to a fixed version to resolve the issue. For versions 7.6.0.0 through 7.6.0.10, update to a fixed version to resolve the issue. For versions 7.7.0.0 through 7.7.1.3, update to a fixed version to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** IBM DataPower Gateway versions 7.5.0.0 through 7.5.0.18 IBM DataPower Gateway versions 7.5.1.0 through 7.5.1.17 IBM DataPower Gateway versions 7.5.2.0 through 7.5.2.17 IBM DataPower Gateway versions 7.6.0.0 through 7.6.0.10 IBM DataPower Gateway versions 7.7.0.0 through 7.7.1.3 **Description** The issue is related to the use of weaker than expected cryptographic algorithms, which could allow an attacker to decrypt highly sensitive information. **Recommendations** For IBM DataPower Gateway versions 7.5.0.0 through 7.5.0.18, update to a version that uses stronger cryptographic algorithms. For IBM DataPower Gateway versions 7.5.1.0 through 7.5.1.17, update to a version that uses stronger cryptographic algorithms. For IBM DataPower Gateway versions 7.5.2.0 through 7.5.2.17, update to a version that uses stronger cryptographic algorithms. For IBM DataPower Gateway versions 7.6.0.0 through 7.6.0.10, update to a version that uses stronger cryptographic algorithms. For IBM DataPower Gateway versions 7.7.0.0 through 7.7.1.3, update to a version that uses stronger cryptographic algorithms.

**Name of the Vulnerable Software and Affected Versions** IBM DataPower Gateway versions 7.1.0.0 through 7.1.0.23 IBM DataPower Gateway versions 7.2.0.0 through 7.2.0.21 IBM DataPower Gateway versions 7.5.0.0 through 7.5.0.16 IBM DataPower Gateway versions 7.5.1.0 through 7.5.1.15 IBM DataPower Gateway versions 7.5.2.0 through 7.5.2.15 IBM DataPower Gateway versions 7.6.0.0 through 7.6.0.8 IBM DataPower Gateway CD versions 7.7.0.0 through 7.7.1.2 **Description** The issue allows a remote attacker to exploit the vulnerability and expose sensitive information or consume memory resources through a XML External Entity Injection (XXE) attack when processing XML data. **Recommendations** For IBM DataPower Gateway versions 7.1.0.0 through 7.1.0.23, update to a version outside of this range to resolve the issue. For IBM DataPower Gateway versions 7.2.0.0 through 7.2.0.21, update to a version outside of this range to resolve the issue. For IBM DataPower Gateway versions 7.5.0.0 through 7.5.0.16, update to a version outside of this range to resolve the issue. For IBM DataPower Gateway versions 7.5.1.0 through 7.5.1.15, update to a version outside of this range to resolve the issue. For IBM DataPower Gateway versions 7.5.2.0 through 7.5.2.15, update to a version outside of this range to resolve the issue. For IBM DataPower Gateway versions 7.6.0.0 through 7.6.0.8, update to a version outside of this range to resolve the issue. For IBM DataPower Gateway CD versions 7.7.0.0 through 7.7.1.2, update to a version outside of this range to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** IBM DataPower Gateway versions 7.1.0.0 through 7.1.0.23 IBM DataPower Gateway versions 7.2.0.0 through 7.2.0.21 IBM DataPower Gateway versions 7.5.0.0 through 7.5.0.16 IBM DataPower Gateway versions 7.5.1.0 through 7.5.1.15 IBM DataPower Gateway versions 7.5.2.0 through 7.5.2.15 IBM DataPower Gateway versions 7.6.0.0 through 7.6.0.8 IBM DataPower Gateway CD versions 7.7.0.0 through 7.7.1.2 **Description** The echoing of AMP management interface authorization headers in IBM DataPower Gateway exposes login credentials in the browser cache. **Recommendations** For IBM DataPower Gateway versions 7.1.0.0 through 7.1.0.23, update to a version outside of this range to resolve the issue. For IBM DataPower Gateway versions 7.2.0.0 through 7.2.0.21, update to a version outside of this range to resolve the issue. For IBM DataPower Gateway versions 7.5.0.0 through 7.5.0.16, update to a version outside of this range to resolve the issue. For IBM DataPower Gateway versions 7.5.1.0 through 7.5.1.15, update to a version outside of this range to resolve the issue. For IBM DataPower Gateway versions 7.5.2.0 through 7.5.2.15, update to a version outside of this range to resolve the issue. For IBM DataPower Gateway versions 7.6.0.0 through 7.6.0.8, update to a version outside of this range to resolve the issue. For IBM DataPower Gateway CD versions 7.7.0.0 through 7.7.1.2, update to a version outside of this range to resolve the issue.