IBM DataPower Gateway <=10.5.0.2 Session not invalidated after passwd change
CVE-2022-40228 Published on November 22, 2022

IBM DataPower Gateway session fixation
IBM DataPower Gateway 10.0.3.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.9, 2018.4.1.0 through 2018.4.1.22, and 10.5.0.0 through 10.5.0.2 does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 235527.

Vendor Advisory NVD

Vulnerability Analysis

Attack Vector:

ADJACENT_NETWORK

Attack Complexity:

HIGH

Privileges Required:

LOW

User Interaction:

NONE

Scope:

UNCHANGED

Confidentiality Impact:

LOW

Integrity Impact:

LOW

Availability Impact:

NONE

Weakness Type

Insufficient Session Expiration

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

Products Associated with CVE-2022-40228

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2022-40228 are published in IBM Datapower Gateway:

IBM Datapower Gateway

Affected Versions

IBM DataPower Gateway:

Version 10.0.3.0 and below 10.0.4.0 is affected.
Version 10.0.1.0 and below 10.0.1.9 is affected.
Version 2018.4.1.0 and below 2018.4.1.22 is affected.
Version 10.5.0.0 and below 10.5.0.2 is affected.

Exploit Probability

EPSS

0.06%

Percentile

18.48%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.