Security Bulletin: IBM Data Studio Web Console is susceptible to a “Directory Traversal Arbitrary File Download” vulnerability.
IBM Data Studio Web Console versions 3.1.0 and 3.1.1 could allow a remote attacker to traverse directories on the file system. An attacker could exploit this vulnerability to view potentially sensitive system files.
This is only possible after the user has logged in to the web application successfully and if the server process has been started with an Operating System credential that has read privileges on the file accessed by the attacker. While this vulnerability does not impact the Data Studio Web Console process itself directly or the databases it monitors, a malicious attacker may be able to access sensitive files that are stored outside of the Data Studio Web Console install location.
CVSS Base Score: 4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83973 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/AU:N/C:P/I:N/A:N)
AFFECTED PRODUCTS :
IBM Data Studio Web Console v3.1.0 and v3.1.1 on all supported operating systems.
Upgrade to IBM Data Studio Web Console 3.2 -http://www.ibm.com/developerworks/downloads/im/data/
· Complete CVSS Guide
· On-line Calculator V2
· X-Force Vulnerability Database (83973)
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Program
14 June 2013: Original publication
More support for:
IBM Data Studio
Software version: 3.1, 3.1.1
Operating system(s): AIX, HP-UX, Linux, Solaris, Windows
Reference #: 1638734
Modified date: 11 June 2013