Security Bulletin: IBM Data Studio Web Console is susceptible to a “Directory Traversal Arbitrary File Download” vulnerability.

Flash (Alert)


Abstract

IBM Data Studio Web Console versions 3.1.0 and 3.1.1 could allow a remote attacker to traverse directories on the file system. An attacker could exploit this vulnerability to view potentially sensitive system files.

Content

VULNERABILITY DETAILS

CVE ID:
CVE-2013-2981

DESCRIPTION:

This is only possible after the user has logged in to the web application successfully and if the server process has been started with an Operating System credential that has read privileges on the file accessed by the attacker. While this vulnerability does not impact the Data Studio Web Console process itself directly or the databases it monitors, a malicious attacker may be able to access sensitive files that are stored outside of the Data Studio Web Console install location.


CVSS:
CVSS Base Score: 4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83973 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/AU:N/C:P/I:N/A:N)


AFFECTED PRODUCTS :

IBM Data Studio Web Console v3.1.0 and v3.1.1 on all supported operating systems.

REMEDIATION:

Fix(es):
Upgrade to IBM Data Studio Web Console 3.2 -http://www.ibm.com/developerworks/downloads/im/data/

Mitigation:
None

Workaround(s):
None


REFERENCES:

· Complete CVSS Guide
· On-line Calculator V2
· X-Force Vulnerability Database (83973)
· CVE-2013-2981

RELATED INFORMATION:

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Program


CHANGE HISTORY:

14 June 2013: Original publication


Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

IBM Data Studio
Web Console

Software version:

3.1, 3.1.1

Operating system(s):

AIX, HP-UX, Linux, Linux zSeries, Solaris, Windows

Reference #:

1638734

Modified date:

2013-06-11

Translate my page

Machine Translation

Content navigation