Description
The GatewayScript modules on IBM DataPower Gateways with software 7.2.0.x before 7.2.0.1, when the GatewayScript decryption API or a JWE decrypt action is enabled, do not require signed ciphertext data, which makes it easier for remote attackers to obtain plaintext data via a padding-oracle attack.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
http://www-01.ibm.com/support/docview.wss?uid=swg21964170
Vendor Advisory vendor-advisory
x_refsource_aixapar
http://www-01.ibm.com/support/docview.wss?uid=swg1IT10701
Scores
EPSS
0.0101
EPSS Percentile
59.0%
Details
CWE
CWE-200
Status
published
Products (1)
ibm/datapower_gateway
< 7.2.0.0
Published
Nov 08, 2015
Tracked Since
Feb 18, 2026