EUVD-2025-208662
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4Description
IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.1.0.0 through 6.1.2.7_2, 6.2.0.0 through 6.2.0.5_1, 6.2.1.0 through 6.2.1.1_1, and 6.2.2.0 could disclose sensitive host information to authenticated users in responses that could be used in further attacks against the system.
Analysis
IBM Sterling B2B Integrator and IBM Sterling File Gateway contain an information disclosure vulnerability (CWE-201) that allows authenticated users to obtain sensitive host information through application responses, which could facilitate further attacks against the system. The vulnerability affects versions 6.1.0.0 through 6.2.2.0 across multiple minor version branches, with a CVSS score of 4.3 indicating low severity but meaningful confidentiality impact. While the CVSS score is moderate, the requirement for authentication and lack of active exploitation reporting (KEV status unknown) suggest this is a lower-priority vulnerability compared to unauthenticated remote code execution issues, though it remains a valid security concern requiring patching.
Technical Context
The vulnerability exists in IBM Sterling B2B Integrator (cpe:2.3:a:ibm:sterling_b2b_integrator) and IBM Sterling File Gateway (cpe:2.3:a:ibm:sterling_file_gateway) products, which are enterprise integration platforms used for secure file transfer and B2B communication. The root cause is classified as CWE-201 (Exposure of Sensitive Information Through Response), indicating the application improperly discloses sensitive host information in HTTP responses or API replies that should be restricted. The affected versions include the 6.1.x branch (6.1.0.0-6.1.2.7_2) and the 6.2.x branch (6.2.0.0-6.2.2.0), suggesting the vulnerability may stem from shared code across major versions or represent a design issue in how authentication and information filtering are implemented across these integration platforms.
Affected Products
IBM Sterling B2B Integrator versions 6.1.0.0 through 6.1.2.7_2 are affected, as are IBM Sterling File Gateway versions across the same range: 6.1.0.0 through 6.1.2.7_2, 6.2.0.0 through 6.2.0.5_1, 6.2.1.0 through 6.2.1.1_1, and 6.2.2.0. Both products are identified by CPE entries cpe:2.3:a:ibm:sterling_b2b_integrator and cpe:2.3:a:ibm:sterling_file_gateway respectively. Organizations running any version in these ranges should verify their installed version against IBM's security advisory and patch availability documentation available through IBM's Security Vulnerabilities website.
Remediation
Apply IBM's security patch immediately upon availability for affected versions 6.1.x and 6.2.x. IBM typically provides cumulative security fixes; consult the official IBM Sterling security advisory for specific patch versions such as 6.1.2.8 or 6.2.2.1 (exact versions to be confirmed via IBM documentation). Upgrade to the latest available version in your branch if a direct patch is not yet available. As an interim control, restrict access to IBM Sterling B2B Integrator and File Gateway to trusted networks only via firewall rules, limiting exposure to authenticated users who would need host information for attacks. Additionally, review application logs and access controls to identify any unauthorized information access attempts, and audit user account privileges to ensure only necessary administrative accounts retain access to sensitive system responses.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today