Lucene search

IBM8CB130782E0EA06727D444DB8ECCE123B34C9DAD229985F76A0A2D1046098809

HistoryMar 12, 2024 - 5:16 p.m.

Security Bulletin: IBM Sterling Partner Engagement Manager is vulnerable directory traversal due to Apache Shiro (CVE-2023-34478)

2024-03-1217:16:04

www.ibm.com

ibm sterling partner engagement manager

apache shiro

cve-2023-34478

vulnerability

directory traversal

remote attacker

system

validation

cvss

affected products

versions

remediation

upgrade

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

6.5 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

40.9%

JSON

Summary

IBM Sterling Partner Engagement Manager uses Apache Shiro. This bulletin identifies the steps to take to address the vulnerability.

Vulnerability Details

CVEID:CVE-2023-34478
**DESCRIPTION:**Apache Shiro could allow a remote authenticated attacker to traverse directories on the system, caused by improper validation of user request. An attacker could send a specially crafted URL request containing “dot dot” sequences (/…/) to view arbitrary files on the system.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/261345 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Sterling Partner Engagement Manager	6.2.2
IBM Sterling Partner Engagement Manager	6.1.2
IBM Sterling Partner Engagement Manager	6.2.0

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by upgrading …

Product	Version	Remediation
IBM Sterling Partner Engagement Manager Essentials Edition	6.2.2.2	Link
IBM Sterling Partner Engagement Manager Standard Edition	6.2.2.2	Link
IBM Sterling Partner Engagement Manager Essentials Edition	6.1.2.9	Link
IBM Sterling Partner Engagement Manager Standard Edition	6.1.2.9	Link
IBM Sterling Partner Engagement Manager Essentials Edition	6.2.0.7	Link
IBM Sterling Partner Engagement Manager Standard Edition	6.2.0.7	Link

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmmulti-enterprise_integration_gatewayMatch6.2.2.2

ibmmulti-enterprise_integration_gatewayMatch6.1.2.9

ibmmulti-enterprise_integration_gatewayMatch6.2.0.7

CPENameOperatorVersion
multi-enterprise relationship managementeq6.2.2.2
multi-enterprise relationship managementeq6.1.2.9
multi-enterprise relationship managementeq6.2.0.7