cbcvebase.
CVE-2020-4430
published 2020-05-07

CVE-2020-4430: IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, and 2.0.4 could allow a remote authenticated attacker to traverse directories on the system. An attacker could send…

PriorityP278medium4.3CVSS 3.1
AVNACLPRLUINSUCLINAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
68.54%
99.2th percentile
IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, and 2.0.4 could allow a remote authenticated attacker to traverse directories on the system. An attacker could send a specially-crafted URL request to download arbitrary files from the system. IBM X-Force ID: 180535.

Affected

7 ranges
VendorProductVersion rangeFixed in
ibmdata_risk_manager
ibmdata_risk_manager
ibmdata_risk_manager
ibmdata_risk_manager
ibmdata_risk_manager
ibmdata_risk_manager
ibmdata_risk_manager2.0.1 – 2.0.4

Detection & IOCsextracted from sources · hover to see the quote

url/albatross/eurekaservice/fetchLogFiles
bytes
|2e 2e|
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT IBM Data Risk Manager Arbitrary File Download (CVE-2020-4430)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/albatross/eurekaservice/fetchLogFiles"; endswith; fast_pattern; http.request_body; content:"instanceId"; nocase; content:"logLevel"; nocase; content:"logFileNameList"; nocase; content:"|2e 2e|"; reference:url,github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md; reference:cve,2020-4430; classtype:attempted-admin; sid:2034312; rev:1;)
  • Exploit traffic uses HTTP POST method to the specific endpoint /albatross/eurekaservice/fetchLogFiles with directory traversal sequences (|2e 2e| = '..') in the request body alongside the fields 'instanceId', 'logLevel', and 'logFileNameList'.
  • The attacker must be a remote authenticated user; monitor for authenticated sessions issuing POST requests to the fetchLogFiles endpoint with path traversal patterns.
  • ·The Snort/ET rule targets both $HOME_NET and $HTTP_SERVERS on any port, meaning the IBM Data Risk Manager may be deployed on non-standard ports; ensure coverage is not limited to port 80/443 only.
  • ·CVE-2020-4430 (directory traversal) is distinct from CVE-2020-4429 (hardcoded credentials / SSH default password 'idrm' for user 'a3user'); the template and sources conflate both — ensure detections are scoped to the correct CVE.

CVSS provenance

nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
nvdv3.04.3MEDIUMCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
vulncheck4.3MEDIUM
cisa4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.