CVE-2015-7412

IBM DataPower Gateways <7.2.0.1 - Info Disclosure

Title source: llm
STIX 2.1

Description

The GatewayScript modules on IBM DataPower Gateways with software 7.2.0.x before 7.2.0.1, when the GatewayScript decryption API or a JWE decrypt action is enabled, do not require signed ciphertext data, which makes it easier for remote attackers to obtain plaintext data via a padding-oracle attack.

References (2)

Core 2
Core References
Vendor Advisory x_refsource_confirm
http://www-01.ibm.com/support/docview.wss?uid=swg21964170
Vendor Advisory vendor-advisory x_refsource_aixapar
http://www-01.ibm.com/support/docview.wss?uid=swg1IT10701

Scores

EPSS 0.0101
EPSS Percentile 59.0%

Details

CWE
CWE-200
Status published
Products (1)
ibm/datapower_gateway < 7.2.0.0
Published Nov 08, 2015
Tracked Since Feb 18, 2026