4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
0.002 Low
EPSS
Percentile
54.0%
UnZip.exe is used by IBM Tivoli Application Dependency Discovery Manager and is vulnerable to CVE-2021-4217, CVE-2022-0529, CVE-2022-0530 (Publicly disclosed vulnerabilities)
CVEID:CVE-2021-4217
**DESCRIPTION:**Info-ZIP UnZip could allow a remote attacker to execute arbitrary code on the system, caused by a NULL pointer dereference flaw in the handling of Unicode strings. By persuading a victim to open a specially-crafted .zip file, an attacker could exploit this vulnerability to execute arbitrary code or cause the system to crash.
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/234332 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID:CVE-2022-0529
**DESCRIPTION:**Unzip could allow a remote attacker to execute arbitrary code on the system, caused by a heap out-of-bounds write during the conversion of a wide string to a local string. By persuading a victim to open a specially-crafted zip file, an attacker could exploit this vulnerability to execute arbitrary code on the system or cause a denial of service.
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/219388 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID:CVE-2022-0530
**DESCRIPTION:**Unzip could allow a remote attacker to execute arbitrary code on the system, caused by a segmentation fault during the conversion of an utf-8 string to a local string. By persuading a victim to open a specially-crafted zip file, an attacker could exploit this vulnerability to execute arbitrary code on the system or cause a denial of service.
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/219387 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
Affected Product(s) | Version(s) |
---|---|
IBM Tivoli Application Dependency Discovery Manager | 7.3.0.0 -7.3.0.9 |
TADDM FixPack 7.3.0.10 has been released, Please upgrade to 7.3.0.10 to resolve all known UnZip.exe vulnerabilities at the date of release.
In TADDM FixPack 7.3.0.10, PowerShell 5.1 or later has replaced the UnZip.exe and its functionalities.
This scenario is valid for Windows Discovery Server and Windows Anchor, and functionality can be accessed as per below command:
“Expand-Archive -Path <zip path> -DestinationPath <path>”
Please refer to below URL to download TADDM FixPack 7.3.0.10 for more information.
Fix | How to acquire fix |
---|---|
7.3-TIV-ITADDM-FP00010 | Download FixPack |
Please refer to below URL for TADDM FixPack 7.3.0.10 for more information.
<https://www.ibm.com/docs/en/taddm/7.3.0?topic=release-notes#relnotes__fp10>
None
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
0.002 Low
EPSS
Percentile
54.0%