{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-36373", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "state": "PUBLISHED", "assignerShortName": "ibm", "dateReserved": "2025-04-15T21:16:56.325Z", "datePublished": "2026-04-01T20:47:46.485Z", "dateUpdated": "2026-04-01T20:49:32.409Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2026-04-01T20:49:32.409Z"}, "title": "Incorrect administrative access control in IBM DataPower Gateway", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-497", "description": "CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere", "type": "CWE"}]}], "affected": [{"vendor": "IBM", "product": "DataPower Gateway 10.6CD", "versions": [{"status": "affected", "version": "10.6.1.0", "lessThanOrEqual": "10.6.5.0", "versionType": "semver"}], "cpes": ["cpe:2.3:a:ibm:datapower_gateway_106cd:10.6.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:datapower_gateway_106cd:10.6.5.0:*:*:*:*:*:*:*"]}, {"vendor": "IBM", "product": "DataPower Gateway 10.5.0", "versions": [{"status": "affected", "version": "10.5.0.0", "lessThanOrEqual": "10.5.0.20", "versionType": "semver"}], "cpes": ["cpe:2.3:a:ibm:datapower_gateway_1050:10.5.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:datapower_gateway_1050:10.5.0.20:*:*:*:*:*:*:*"]}, {"vendor": "IBM", "product": "DataPower Gateway 10.6.0", "versions": [{"status": "affected", "version": "10.6.0.0", "lessThanOrEqual": "10.6.0.8", "versionType": "semver"}], "cpes": ["cpe:2.3:a:ibm:datapower_gateway_1060:10.6.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:datapower_gateway_1060:10.6.0.8:*:*:*:*:*:*:*"]}], "descriptions": [{"lang": "en", "value": "IBM DataPower Gateway 10.6CD 10.6.1.0 through 10.6.5.0 and IBM DataPower Gateway 10.5.0 10.5.0.0 through 10.5.0.20 and IBM DataPower Gateway 10.6.0 10.6.0.0 through 10.6.0.8 IBM DataPower Gateway could disclose sensitive system information from other domains to an administrative user.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>IBM DataPower Gateway 10.6CD 10.6.1.0 through 10.6.5.0 and IBM DataPower Gateway 10.5.0 10.5.0.0 through 10.5.0.20 and IBM DataPower Gateway 10.6.0 10.6.0.0 through 10.6.0.8 IBM DataPower Gateway could disclose sensitive system information from other domains to an administrative user.</p>"}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7267833", "tags": ["vendor-advisory", "patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 4.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N"}}], "solutions": [{"lang": "en", "value": "Affected Product(s)Fixed in versionFix listIBM DataPower Gateway 10.6CD 10.6.1.0 - 10.6.5.010.6.6.0 Installation and Upgrade 10.6.x https://www.ibm.com/docs/en/datapower-gateway/10.6.x IBM DataPower Gateway 10.5.0.0 - 10.5.0.2010.5.0.21 Installation and Upgrade 10.5.0 https://www.ibm.com/docs/en/datapower-gateway/10.5.0 IBM DataPower Gateway 10.6.0.0 - 10.6.0.810.6.0.9 Installation and Upgrade 10.6.0 https://www.ibm.com/docs/en/datapower-gateway/10.6.0", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<div><table><tbody><tr><td>Affected Product(s)</td><td>Fixed in version</td><td>Fix list</td></tr><tr><td>IBM DataPower Gateway 10.6CD 10.6.1.0 - 10.6.5.0</td><td>10.6.6.0</td><td><a href=\"https://www.ibm.com/docs/en/datapower-gateway/10.6.x?topic=overview-release-notes#relnotes__install__title__1\" rel=\"nofollow\">Installation and Upgrade 10.6.x</a></td></tr><tr><td>IBM DataPower Gateway 10.5.0.0 - 10.5.0.20</td><td>10.5.0.21</td><td><a href=\"https://www.ibm.com/docs/en/datapower-gateway/10.5.0?topic=overview-release-notes#relnotes__install__title__1\" rel=\"nofollow\">Installation and Upgrade 10.5.0</a></td></tr><tr><td>IBM DataPower Gateway 10.6.0.0 - 10.6.0.8</td><td>10.6.0.9</td><td><a href=\"https://www.ibm.com/docs/en/datapower-gateway/10.6.0?topic=overview-release-notes#relnotes__install__title__1\" rel=\"nofollow\">Installation and Upgrade 10.6.0</a></td></tr></tbody></table></div><p><br></p>"}]}], "x_generator": {"engine": "ibm-cvegen"}, "credits": [{"lang": "en", "value": "Acknowledgement This vulnerability was reported to IBM by Micha\u0142 Bartoszuk & Maciej W\u0142odarczyk @ STM Cyber.", "type": "finder"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "IBM DataPower Gateway 10.6CD 10.6.1.0 through 10.6.5.0 and IBM DataPower Gateway 10.5.0 10.5.0.0 through 10.5.0.20 and IBM DataPower Gateway 10.6.0 10.6.0.0 through 10.6.0.8 IBM DataPower Gateway could disclose sensitive system information from other domains to an administrative user."}], "id": "CVE-2025-36373", "lastModified": "2026-04-01T21:16:57.897", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 1.4, "source": "psirt@us.ibm.com", "type": "Primary"}]}, "published": "2026-04-01T21:16:57.897", "references": [{"source": "psirt@us.ibm.com", "url": "https://www.ibm.com/support/pages/node/7267833"}], "sourceIdentifier": "psirt@us.ibm.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-497"}], "source": "psirt@us.ibm.com", "type": "Primary"}]}

{}

{}