Vulnerability-Lookup

CNVD-2026-19179

Vulnerability from cnvd - Published: 2026-05-06

Title

IBM DataPower Gateway信息泄露漏洞（CNVD-2026-19179）

Description

IBM DataPower Gateway是美国国际商业机器（IBM）公司的一套专门为移动、云、应用编程接口（API）、网络、面向服务架构（SOA）、B2B和云工作负载而设计的安全和集成平台。该平台可利用专用网关平台跨渠道保护、集成和优化访问。 IBM DataPower Gateway存在信息泄露漏洞。该漏洞源于向管理员用户泄露其他域的敏感系统信息，攻击者可利用该漏洞获取敏感信息。

Severity

低

Patch Name

IBM DataPower Gateway信息泄露漏洞（CNVD-2026-19179）的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://www.ibm.com/support/pages/node/7267833

Reference

https://nvd.nist.gov/vuln/detail/CVE-2025-36373

Impacted products

Name
['IBM DataPower Gateway 10.6CD >=10.6.1.0，<=10.6.5.0', 'IBM DataPower Gateway 10.5.0 >=10.5.0.0，<=10.5.0.20', 'IBM DataPower Gateway 10.6.0 >=10.6.0.0，<=10.6.0.8']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2025-36373",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2025-36373"
    }
  },
  "description": "IBM DataPower Gateway\u662f\u7f8e\u56fd\u56fd\u9645\u5546\u4e1a\u673a\u5668\uff08IBM\uff09\u516c\u53f8\u7684\u4e00\u5957\u4e13\u95e8\u4e3a\u79fb\u52a8\u3001\u4e91\u3001\u5e94\u7528\u7f16\u7a0b\u63a5\u53e3\uff08API\uff09\u3001\u7f51\u7edc\u3001\u9762\u5411\u670d\u52a1\u67b6\u6784\uff08SOA\uff09\u3001B2B\u548c\u4e91\u5de5\u4f5c\u8d1f\u8f7d\u800c\u8bbe\u8ba1\u7684\u5b89\u5168\u548c\u96c6\u6210\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u53ef\u5229\u7528\u4e13\u7528\u7f51\u5173\u5e73\u53f0\u8de8\u6e20\u9053\u4fdd\u62a4\u3001\u96c6\u6210\u548c\u4f18\u5316\u8bbf\u95ee\u3002\n\nIBM DataPower Gateway\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5411\u7ba1\u7406\u5458\u7528\u6237\u6cc4\u9732\u5176\u4ed6\u57df\u7684\u654f\u611f\u7cfb\u7edf\u4fe1\u606f\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.ibm.com/support/pages/node/7267833",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2026-19179",
  "openTime": "2026-05-06",
  "patchDescription": "IBM DataPower Gateway\u662f\u7f8e\u56fd\u56fd\u9645\u5546\u4e1a\u673a\u5668\uff08IBM\uff09\u516c\u53f8\u7684\u4e00\u5957\u4e13\u95e8\u4e3a\u79fb\u52a8\u3001\u4e91\u3001\u5e94\u7528\u7f16\u7a0b\u63a5\u53e3\uff08API\uff09\u3001\u7f51\u7edc\u3001\u9762\u5411\u670d\u52a1\u67b6\u6784\uff08SOA\uff09\u3001B2B\u548c\u4e91\u5de5\u4f5c\u8d1f\u8f7d\u800c\u8bbe\u8ba1\u7684\u5b89\u5168\u548c\u96c6\u6210\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u53ef\u5229\u7528\u4e13\u7528\u7f51\u5173\u5e73\u53f0\u8de8\u6e20\u9053\u4fdd\u62a4\u3001\u96c6\u6210\u548c\u4f18\u5316\u8bbf\u95ee\u3002\r\n\r\nIBM DataPower Gateway\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5411\u7ba1\u7406\u5458\u7528\u6237\u6cc4\u9732\u5176\u4ed6\u57df\u7684\u654f\u611f\u7cfb\u7edf\u4fe1\u606f\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "IBM DataPower Gateway\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2026-19179\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "IBM DataPower Gateway 10.6CD \u003e=10.6.1.0\uff0c\u003c=10.6.5.0",
      "IBM DataPower Gateway 10.5.0 \u003e=10.5.0.0\uff0c\u003c=10.5.0.20",
      "IBM DataPower Gateway 10.6.0 \u003e=10.6.0.0\uff0c\u003c=10.6.0.8"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2025-36373",
  "serverity": "\u4f4e",
  "submitTime": "2026-04-10",
  "title": "IBM DataPower Gateway\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2026-19179\uff09"
}

CVE-2025-36373 (GCVE-0-2025-36373)

Vulnerability from cvelistv5 – Published: 2026-04-01 20:47 – Updated: 2026-04-02 15:49

Title

Incorrect administrative access control in IBM DataPower Gateway

Summary

IBM DataPower Gateway 10.6CD 10.6.1.0 through 10.6.5.0 and IBM DataPower Gateway 10.5.0 10.5.0.0 through 10.5.0.20 and IBM DataPower Gateway 10.6.0 10.6.0.0 through 10.6.0.8 IBM DataPower Gateway could disclose sensitive system information from other domains to an administrative user.

Severity

4.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere

Assigner

ibm

References

1 reference

URL	Tags
https://www.ibm.com/support/pages/node/7267833	vendor-advisorypatch

Impacted products

3 products

Vendor	Product	Version
IBM	DataPower Gateway 10.6CD	Affected: 10.6.1.0 , ≤ 10.6.5.0 (semver) cpe:2.3:a:ibm:datapower_gateway_106cd:10.6.1.0:::::::* cpe:2.3:a:ibm:datapower_gateway_106cd:10.6.5.0:::::::*
IBM	DataPower Gateway 10.5.0	Affected: 10.5.0.0 , ≤ 10.5.0.20 (semver) cpe:2.3:a:ibm:datapower_gateway_1050:10.5.0.0:::::::* cpe:2.3:a:ibm:datapower_gateway_1050:10.5.0.20:::::::*
IBM	DataPower Gateway 10.6.0	Affected: 10.6.0.0 , ≤ 10.6.0.8 (semver) cpe:2.3:a:ibm:datapower_gateway_1060:10.6.0.0:::::::* cpe:2.3:a:ibm:datapower_gateway_1060:10.6.0.8:::::::*

Credits

Acknowledgement This vulnerability was reported to IBM by Michał Bartoszuk & Maciej Włodarczyk @ STM Cyber.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-36373",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-02T15:48:55.294586Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-02T15:49:19.578Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:ibm:datapower_gateway_106cd:10.6.1.0:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:datapower_gateway_106cd:10.6.5.0:*:*:*:*:*:*:*"
          ],
          "product": "DataPower Gateway 10.6CD",
          "vendor": "IBM",
          "versions": [
            {
              "lessThanOrEqual": "10.6.5.0",
              "status": "affected",
              "version": "10.6.1.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:ibm:datapower_gateway_1050:10.5.0.0:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:datapower_gateway_1050:10.5.0.20:*:*:*:*:*:*:*"
          ],
          "product": "DataPower Gateway 10.5.0",
          "vendor": "IBM",
          "versions": [
            {
              "lessThanOrEqual": "10.5.0.20",
              "status": "affected",
              "version": "10.5.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:ibm:datapower_gateway_1060:10.6.0.0:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:datapower_gateway_1060:10.6.0.8:*:*:*:*:*:*:*"
          ],
          "product": "DataPower Gateway 10.6.0",
          "vendor": "IBM",
          "versions": [
            {
              "lessThanOrEqual": "10.6.0.8",
              "status": "affected",
              "version": "10.6.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Acknowledgement This vulnerability was reported to IBM by Micha\u0142 Bartoszuk \u0026 Maciej W\u0142odarczyk @ STM Cyber."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIBM DataPower Gateway 10.6CD 10.6.1.0 through 10.6.5.0 and IBM DataPower Gateway 10.5.0 10.5.0.0 through 10.5.0.20 and IBM DataPower Gateway 10.6.0 10.6.0.0 through 10.6.0.8 IBM DataPower Gateway could disclose sensitive system information from other domains to an administrative user.\u003c/p\u003e"
            }
          ],
          "value": "IBM DataPower Gateway 10.6CD 10.6.1.0 through 10.6.5.0 and IBM DataPower Gateway 10.5.0 10.5.0.0 through 10.5.0.20 and IBM DataPower Gateway 10.6.0 10.6.0.0 through 10.6.0.8 IBM DataPower Gateway could disclose sensitive system information from other domains to an administrative user."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-497",
              "description": "CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-01T20:49:32.409Z",
        "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "shortName": "ibm"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://www.ibm.com/support/pages/node/7267833"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eAffected Product(s)\u003c/td\u003e\u003ctd\u003eFixed in version\u003c/td\u003e\u003ctd\u003eFix list\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM DataPower Gateway 10.6CD 10.6.1.0 - 10.6.5.0\u003c/td\u003e\u003ctd\u003e10.6.6.0\u003c/td\u003e\u003ctd\u003e\u003ca href=\"https://www.ibm.com/docs/en/datapower-gateway/10.6.x?topic=overview-release-notes#relnotes__install__title__1\" rel=\"nofollow\"\u003eInstallation and Upgrade 10.6.x\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM DataPower Gateway 10.5.0.0 - 10.5.0.20\u003c/td\u003e\u003ctd\u003e10.5.0.21\u003c/td\u003e\u003ctd\u003e\u003ca href=\"https://www.ibm.com/docs/en/datapower-gateway/10.5.0?topic=overview-release-notes#relnotes__install__title__1\" rel=\"nofollow\"\u003eInstallation and Upgrade 10.5.0\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM DataPower Gateway 10.6.0.0 - 10.6.0.8\u003c/td\u003e\u003ctd\u003e10.6.0.9\u003c/td\u003e\u003ctd\u003e\u003ca href=\"https://www.ibm.com/docs/en/datapower-gateway/10.6.0?topic=overview-release-notes#relnotes__install__title__1\" rel=\"nofollow\"\u003eInstallation and Upgrade 10.6.0\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003c/div\u003e\u003cp\u003e\u003cbr\u003e\u003c/p\u003e"
            }
          ],
          "value": "Affected Product(s)Fixed in versionFix listIBM DataPower Gateway 10.6CD 10.6.1.0 - 10.6.5.010.6.6.0 Installation and Upgrade 10.6.x https://www.ibm.com/docs/en/datapower-gateway/10.6.x IBM DataPower Gateway 10.5.0.0 - 10.5.0.2010.5.0.21 Installation and Upgrade 10.5.0 https://www.ibm.com/docs/en/datapower-gateway/10.5.0 IBM DataPower Gateway 10.6.0.0 - 10.6.0.810.6.0.9 Installation and Upgrade 10.6.0 https://www.ibm.com/docs/en/datapower-gateway/10.6.0"
        }
      ],
      "title": "Incorrect administrative access control in IBM DataPower Gateway",
      "x_generator": {
        "engine": "ibm-cvegen"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
    "assignerShortName": "ibm",
    "cveId": "CVE-2025-36373",
    "datePublished": "2026-04-01T20:47:46.485Z",
    "dateReserved": "2025-04-15T21:16:56.325Z",
    "dateUpdated": "2026-04-02T15:49:19.578Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2026-19179

CVE-2025-36373 (GCVE-0-2025-36373)

Tags

Sightings

Nomenclature