CVE-2020-4209 — Path Traversal in IBM Spectrum Protect Plus

CWE-22 — Path Traversal3 documents3 sources

Severity

5.4MEDIUMNVD

EPSS

0.4%

top 37.45%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

IBM Spectrum Protect Plus

Timeline

PublishedMay 4

Latest updateMay 24

Description

IBM Spectrum Protect Plus 10.1.0 through 10.1.5 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to create arbitrary files on the system. IBM X-Force ID: 175019.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:LExploitability: 2.8 | Impact: 2.5

Affected Packages2 packages

▶NVDibm/spectrum_protect_plus10.1.0 — 10.1.5

▶CVEListV5ibm/spectrum_protect_plus10.1.0, 10.1.5+1

Patches

Patch: www.ibm.com ↗Patch: www.ibm.com ↗

🔴Vulnerability Details

GHSA

GHSA-6fq7-r3q7-fv44: IBM Spectrum Protect Plus 10↗2022-05-24

▶

CVEList

CVE-2020-4209: IBM Spectrum Protect Plus 10↗2020-05-04

▶