CVE-2018-2006 — Path Traversal in IBM Robotic Process Automation With Automation Anywhere

CWE-22 — Path Traversal CWE-287 — Improper Authentication6 documents5 sources

Severity

4.9MEDIUMNVD

EPSS

0.2%

top 56.12%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

IBM Robotic Process Automation With Automation Anywhere

Timeline

PublishedFeb 21

Latest updateMay 13

Description

IBM Robotic Process Automation with Automation Anywhere 11 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to upload arbitrary files to the system. IBM X-Force ID: 155008.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:NExploitability: 1.2 | Impact: 3.6

Affected Packages2 packages

▶NVDibm/robotic_process_automation_with_automation_anywhere11.0.0.0 — 11.0.0.4

▶CVEListV5ibm/robotic_process_automation_with_automation_anywhere11

🔴Vulnerability Details

GHSA

GHSA-w6q2-m8gg-pjv5: IBM Robotic Process Automation with Automation Anywhere 11 could allow a remote attacker to traverse directories on the system↗2022-05-13

▶

CVEList

CVE-2018-2006: IBM Robotic Process Automation with Automation Anywhere 11 could allow a remote attacker to traverse directories on the system↗2019-02-21

▶

📋Vendor Advisories

Red Hat

strongswan: authentication bypass in verify_emsa_pkcs1_signature() in gmp_rsa_public_key.c↗2018-09-24

▶

💬Community

Bugzilla

CVE-2018-16152 strongswan: authentication bypass in verify_emsa_pkcs1_signature() in gmp_rsa_public_key.c↗2018-10-03

▶

Bugzilla

CVE-2018-10245 awstats: Full path disclosure vulnerability allows attackers to disclose location of config file↗2018-04-26

▶