Security Bulletin: There is a vulnerability in JSZip used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2022-48285)

Summary

There is a vulnerability in JSZip used by IBM Maximo Manage application in IBM Maximo Application Suite.

Vulnerability Details

CVEID:CVE-2022-48285
**DESCRIPTION:**JSZip could allow a remote attacker to traverse directories on the system, caused by the failure to sanitize filenames when files are loaded with loadAsync, which makes the library vulnerable to a Zip Slip attack. By extracting files from a specially crafted archive, an attacker could gain access to parts of the file system outside of the target folder, overwrite the executable files and execute arbitrary commands on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/244499 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

Remediation/Fixes

For IBM Maximo Manage application in IBM Maximo Application Suite:

Upgrade to Manage 8.4.10 or latest (available from the Catalog under Update Available)

Upgrade to MAS 8.9.6 |

Upgrade to Manage 8.5.6 or latest (available from the Catalog under Update Available)

Workarounds and Mitigations

None