CVE-2018-1663 : IBM DataPower Gateways 7.5, 7.5.1, 7.5.2, 7.6, and 2018.4 could allow a remote a

IBM DataPower Gateways 7.5, 7.5.1, 7.5.2, 7.6, and 2018.4 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 144889.

Published 2018-12-07 16:29:00

Updated 2019-10-09 23:38:50

Source IBM Corporation

View at NVD, CVE.org

Vulnerability category: Information leak

Products affected by CVE-2018-1663

IBM » Datapower Gateway » Continuous Delivery Edition
Versions from including (>=) 7.7.0.0 and up to, including, (<=) 7.7.1.3
cpe:2.3:a:ibm:datapower_gateway:*:*:*:*:continuous_delivery:*:*:*
Matching versions
IBM » Datapower Gateway
Versions from including (>=) 7.5.0.0 and up to, including, (<=) 7.5.0.17
cpe:2.3:a:ibm:datapower_gateway:*:*:*:*:*:*:*:*
Matching versions
IBM » Datapower Gateway
Versions from including (>=) 7.5.2.0 and up to, including, (<=) 7.5.2.16
cpe:2.3:a:ibm:datapower_gateway:*:*:*:*:*:*:*:*
Matching versions
IBM » Datapower Gateway
Versions from including (>=) 7.6.0.0 and up to, including, (<=) 7.6.0.9
cpe:2.3:a:ibm:datapower_gateway:*:*:*:*:*:*:*:*
Matching versions
IBM » Datapower Gateway
Versions from including (>=) 7.5.1.0 and up to, including, (<=) 7.5.1.16
cpe:2.3:a:ibm:datapower_gateway:*:*:*:*:*:*:*:*
Matching versions
IBM » Datapower Gateway » Version: 2018.4
cpe:2.3:a:ibm:datapower_gateway:2018.4:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2018-1663

EPSS FAQ

0.28%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 48 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2018-1663

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:P/I:N/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
5.9	MEDIUM	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N	2.2	3.6	NIST
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None
5.9	MEDIUM	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N	2.2	3.6	IBM Corporation
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2018-1663

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2018-1663

https://exchange.xforce.ibmcloud.com/vulnerabilities/144889

IBM DataPower Gateways information disclosure CVE-2018-1663 Vulnerability Report
VDB Entry;Vendor Advisory
https://www.ibm.com/support/docview.wss?uid=ibm10740033

IBM Security Bulletin: IBM DataPower Gateways is affected by a downgrade vulnerability (CVE-2018-1663)
Patch;Vendor Advisory
http://www.securityfocus.com/bid/106199

IBM DataPower Gateways CVE-2018-1663 Information Disclosure Vulnerability
Third Party Advisory;VDB Entry

Jump to

Vulnerability Details : CVE-2018-1663

Products affected by CVE-2018-1663

Exploit prediction scoring system (EPSS) score for CVE-2018-1663

CVSS scores for CVE-2018-1663

CWE ids for CVE-2018-1663

References for CVE-2018-1663