Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
IBM DataPower Gateway 10.6CD 10.6.1.0 through 10.6.5.0 and IBM DataPower Gateway 10.5.0 10.5.0.0 through 10.5.0.20 and IBM DataPower Gateway 10.6.0 10.6.0.0 through 10.6.0.8 IBM DataPower Gateway could disclose sensitive system information from other domains to an administrative user.
AnalysisAI
IBM DataPower Gateway versions 10.6CD (10.6.1.0-10.6.5.0), 10.5.0 (10.5.0.0-10.5.0.20), and 10.6.0 (10.6.0.0-10.6.0.8) disclose sensitive system information from other domains to authenticated administrative users due to improper access control. The vulnerability requires high-privilege administrative access over the network and results in confidentiality impact only; no public exploit code or active exploitation has been confirmed. CVSS 4.1 reflects low real-world risk due to authentication requirement, though patch availability limits exposure window.
Technical ContextAI
This vulnerability stems from CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere), indicating that the DataPower Gateway application fails to enforce proper domain isolation or information access boundaries at the administrative interface level. DataPower Gateway is IBM's API and XML gateway appliance used for protocol transformation and security in enterprise SOA/microservices environments. The flaw allows an authenticated admin user to access sensitive metadata or configuration details belonging to other administrative domains that should be segregated. The cross-domain nature (Scope:Changed in CVSS) suggests the vulnerability impacts the confidentiality of information outside the immediate security boundary of the attacker's administrative domain.
RemediationAI
Apply the vendor-released patch from IBM via the support notice at https://www.ibm.com/support/pages/node/7267833. Update affected DataPower Gateway instances to patched versions that enforce proper domain isolation and prevent cross-domain information access by administrative users. Interim mitigation: restrict administrative access to DataPower Gateway to trusted personnel and implement network-level controls (IP whitelisting, VPN requirements) to limit administrative console connectivity. Verify domain configurations post-patch to ensure sensitive information remains segregated between administrative domains.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209174
GHSA-6hwx-hvw3-r56g