Security Bulletin: Vulnerability in AWS SDK for Java affects IBM Process Mining . CVE-2022-31159

Summary

There is a vulnerability in AWS SDK for Java that could allow a directory traversal . The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability.

Vulnerability Details

CVEID:CVE-2022-31159
**DESCRIPTION:**AWS SDK for Java could allow a remote authenticated attacker to traverse directories on the system, caused by a flaw in the downloadDirectory method in the AWS S3 TransferManager component. An attacker could send a specially-crafted URL request containing “dot dot” sequences (/…/) to write arbitrary files on the system.
CVSS Base score: 7.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/231331 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L)

Affected Products and Versions

Remediation/Fixes

Remediation/Fixes guidance:

Upgrade to version 1.13.1

1.Login to PassPortAdvantage

2. Search for
M083FML Process Mining 1.13.1 Server Multiplatform Multilingual

3. Download package

4. Follow install instructions

5. Repeat for M083GML Process Mining 1.13.1 Client Windows Multilingual

| |

Workarounds and Mitigations

None known