CVE-2023-38012

CWE-22 — Path Traversal3 documents3 sources

Severity

5.3MEDIUM

EPSS

0.1%

top 77.85%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

IBM Cloud PAK System

Timeline

PublishedJan 25

Description

IBM Cloud Pak System 2.3.3.6, 2.3.3.6 iFix1, 2.3.3.6 iFix2, 2.3.3.7, 2.3.3.7 iFix1, and 2.3.4.0 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5ibm/cloud_pak_system2.3.3.6, 2.3.3.6 iFix1, 2.3.3.6 iFix2, 2.3.3.7, 2.3.3.7 iFix1, 2.3.4.0

▶NVDibm/cloud_pak_system2.3.3.6, 2.3.3.7, 2.3.4.0+2

🔴Vulnerability Details

CVEList

IBM Cloud Pak System directory traversal↗2025-01-25

▶

GHSA

GHSA-j7vf-q996-69xm: IBM Cloud Pak System 2↗2025-01-25

▶