⚠ Actively exploited

Added to CISA KEV on 2021-11-03. Federal agencies required to patch by 2022-05-03. Required action: Apply updates per vendor instructions..

CVE-2020-4430 — Path Traversal in IBM Data Risk Manager

CWE-22 — Path Traversal6 documents6 sources

Severity

4.3MEDIUMNVD

EPSS

83.8%

top 0.71%

CISA KEV

KEV

Added 2021-11-03

Due 2022-05-03

Exploit

Exploited in wild

Active exploitation observed

Affected products

IBM Data Risk Manager

Timeline

PublishedMay 7

KEV addedNov 3

KEV dueMay 3

Latest updateMay 24

CISA Required Action: Apply updates per vendor instructions.

Description

IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, and 2.0.4 could allow a remote authenticated attacker to traverse directories on the system. An attacker could send a specially-crafted URL request to download arbitrary files from the system. IBM X-Force ID: 180535.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶NVDibm/data_risk_manager2.0.1 — 2.0.4

▶CVEListV5ibm/data_risk_manager6 versions+5

Patches

Patch: www.ibm.com ↗Patch: www.ibm.com ↗

🔴Vulnerability Details

GHSA

GHSA-86cc-wh6w-cw2h: IBM Data Risk Manager 2↗2022-05-24

▶

CVEList

CVE-2020-4430: IBM Data Risk Manager 2↗2020-05-07

▶

VulnCheck

IBM Data Risk Manager Directory Traversal Vulnerability↗2020

▶

🔍Detection Rules

Suricata

ET EXPLOIT IBM Data Risk Manager Arbitrary File Download (CVE-2020-4430)↗2021-11-01

▶

📋Vendor Advisories

CISA

IBM Data Risk Manager Directory Traversal Vulnerability↗2021-11-03

▶