VIR Vulnerability Intelligence Relay

CVE-2015-7412

low
Published 2015-11-08 · Modified 2026-05-06
CVSS v3
CVSS v2
2.6
VIR risk
2.6

Description

The GatewayScript modules on IBM DataPower Gateways with software 7.2.0.x before 7.2.0.1, when the GatewayScript decryption API or a JWE decrypt action is enabled, do not require signed ciphertext data, which makes it easier for remote attackers to obtain plaintext data via a padding-oracle attack.

Predictions

Exploit likelihood
20%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: psirt@us.ibm.com — http://www-01.ibm.com/support/docview.wss?uid=swg21964170

vendor Authored 2026-05-27

Vendor advisory: psirt@us.ibm.com — http://www-01.ibm.com/support/docview.wss?uid=swg1IT10701

Application impact
VendorProductVersionsFixed
ibm ibmdatapower_gateway{"endIncluding":"7.2.0.0"}

References

CWEs

CWE-200

Verify integrity in audit chain (admin only). AS-IS.