IBM Support

IT27275: SENSITIVE INFORMATION DISCLOSURE (BASE64 BASIC AUTH CREDENTIALS REFLECTED BACK IN RESPONSE HEADER)

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as duplicate of another APAR.

Error description

  • It was observed that one of the data power SOAP API calls is
    revealing Base64 encoded username and password in response
    headers.
    Sensitive information can range from user information such as
    login credentials, social security numbers, address, and
    account numbers to how an application is configured and
    structured. If an application discloses any of this information
    publicly, it can be catastrophic to its users, developers,
    and the company. An attacker can use the information to social
    engineer the users or site administration. An attacker could
    also use the information to corelate to certain available
    exploits which to the application's database or web server
    might be vulnerable.
    

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

  • This APAR is a duplicate of IT26030
    

APAR Information

  • APAR number

    IT27275

  • Reported component name

    DATAPOWER

  • Reported component ID

    DP1234567

  • Reported release

    760

  • Status

    CLOSED DUB

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2018-12-11

  • Closed date

    2019-01-08

  • Last modified date

    2019-01-08

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

Applicable component levels



Document information

More support for: IBM DataPower Gateways
General

Software version: 760

Reference #: IT27275

Modified date: 08 January 2019