IBM DataPower Gateway 10.0.3.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.9, 2018.4.1.0 through 2018.4.1.22, and 10.5.0.0 through 10.5.0.2 does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 235527.
According to WASC, “Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.”
Name | Vendor | Start Version | End Version |
---|---|---|---|
Datapower_gateway | Ibm | 10.0.1.0 (including) | 10.0.1.9 (including) |
Datapower_gateway | Ibm | 10.0.3.0 (including) | 10.0.4.0 (including) |
Datapower_gateway | Ibm | 10.5.0.0 (including) | 10.5.0.2 (including) |
Datapower_gateway | Ibm | 2018.4.1.0 (including) | 2018.4.1.22 (including) |