IBM Data Studio Web Console versions 3.1.0 and 3.1.1 could allow a remote attacker to traverse directories on the file system. An attacker could exploit this vulnerability to view potentially sensitive system files.
VULNERABILITY DETAILS
CVE ID:
CVE-2013-2981
DESCRIPTION:
This is only possible after the user has logged in to the web application successfully and if the server process has been started with an Operating System credential that has read privileges on the file accessed by the attacker. While this vulnerability does not impact the Data Studio Web Console process itself directly or the databases it monitors, a malicious attacker may be able to access sensitive files that are stored outside of the Data Studio Web Console install location.
CVSS:
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83973 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/AU:N/C:P/I:N/A:N)
AFFECTED PRODUCTS :
IBM Data Studio Web Console v3.1.0 and v3.1.1 on all supported operating systems.
REMEDIATION:
Fix(es):
Upgrade to IBM Data Studio Web Console 3.2 -http://www.ibm.com/developerworks/downloads/im/data/
Mitigation:
None
Workaround(s):
None
REFERENCES:
· Complete CVSS Guide_ _
· On-line Calculator V2
· X-Force Vulnerability Database (83973)_ _
· CVE-2013-2981
RELATED INFORMATION:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Program
CHANGE HISTORY:
14 June 2013: Original publication
[{“Product”:{“code”:“SS62YD”,“label”:“IBM Data Studio”},“Business Unit”:{“code”:“BU059”,“label”:“IBM Software w/o TPS”},“Component”:“Web Console”,“Platform”:[{“code”:“PF002”,“label”:“AIX”},{“code”:“PF010”,“label”:“HP-UX”},{“code”:“PF016”,“label”:“Linux”},{“code”:“PF027”,“label”:“Solaris”},{“code”:“PF033”,“label”:“Windows”}],“Version”:“3.1;3.1.1”,“Edition”:“”,“Line of Business”:{“code”:“LOB10”,“label”:“Data and AI”}}]