CVE-2020-4211 — OS Command Injection in IBM Spectrum Protect

CWE-78 — OS Command Injection CWE-74 — Injection5 documents5 sources

Severity

9.8CRITICALNVD

EPSS

48.5%

top 2.24%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

IBM Spectrum Protect IBM Spectrum Protect Plus

Timeline

PublishedFeb 24

Latest updateApr 23

Description

IBM Spectrum Protect Plus 10.1.0 and 10.1.5 could allow a remote attacker to execute arbitrary code on the system. By using a specially crafted HTTP command, an attacker could exploit this vulnerability to execute arbitrary command on the system. IBM X-Force ID: 175022.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5ibm/spectrum_protect_plus10.1.0, 10.1.5+1

▶NVDibm/spectrum_protect10.1.0 — 10.1.5+1

Patches

Patch: www.ibm.com ↗Patch: www.ibm.com ↗

🔴Vulnerability Details

GHSA

GHSA-6w3r-59v2-xcqg: IBM Spectrum Protect Plus 10↗2022-05-24

▶

CVEList

CVE-2020-4211: IBM Spectrum Protect Plus 10↗2020-02-24

▶

🔍Detection Rules

Suricata

ET EXPLOIT IBM Spectrum Protect Plus - Command Injection Attempt Inbound (CVE-2020-4211)↗2025-04-23

▶

📋Vendor Advisories

Microsoft

Microsoft Excel Remote Code Execution Vulnerability↗2020-12-08

▶