IBM API Connect has addressed the following vulnerability.
CVEID:CVE-2020-36193
**DESCRIPTION:**Archive_Tar could allow a remote attacker to traverse directories on the system, caused by inadequate checking of symbolic links. An attacker could send a specially-crafted URL request to the Tar.php script containing “dot dot” sequences (/…/) to modify arbitrary files on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/195056 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
Affected Product(s) | Version(s) |
---|---|
API Connect | V5.0.0.0-5.0.8.10 |
API Connect | V2018.4.1.0-V2018.4.1.13 |
API Connect | V10.0.0.0-10.0.1.1 |
Affected Product
|
Addressed in VRMF
|
APAR
|
Remediation / First Fix
—|—|—|—
IBM API Connect
V5.0.0.0-5.0.8.10 iFixes.
|
5.0.8.10 iFix (Portal) published on or after January22, 2021
| LI82083| Addressed in IBM API Connect V5.0.8.10 iFix
published on or after January 22, 2021
Developer Portal is impacted.
Follow this link and find the “Portal” package:
http://www.ibm.com/support/fixcentral/swg/quickorder
If upgrading to 5.0.8.11, refer to important information about upgrade here: <https://www.ibm.com/support/pages/node/6429049>
IBM API Connect
V2018.4.1.0-2018.4.1.13
|
2018.4.1.15
| LI82083|
Addressed in IBM API Connect V2018.4.1.15.
Developer Portal is impacted.
Follow this link and find the “Portal” package:
http://www.ibm.com/support/fixcentral/swg/quickorder
IBM API Connect
V10.0.0.0-10.0.1.1
|
10.0.1.2
| LI82083|
Addressed in IBM API Connect V10.0.1.2
Developer Portal is impacted.
Follow this link and find the “Portal” package:
http://www.ibm.com/support/fixcentral/swg/quickorder
Disable uploads of .tar
, .tar.gz
, .bz2
, or .tlz
files to mitigate the vulnerability.