Security Bulletin: IBM Storage Fusion HCI is vulnerable to directory traversal due to Beego.

Summary

Beego is used by IBM Storage Fusion HCI as part of the user interface. See Vulnerability Details below. CVE-2022-31836, CVE-2022-31259.

Vulnerability Details

CVEID:CVE-2022-31836
**DESCRIPTION:**Beego could allow a remote attacker to traverse directories on the system, caused by a flaw in the leafInfo.match() function. An attacker could send a specially-crafted URL request containing “dot dot” sequences (/…/) in parameter to view arbitrary files on the system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/230469 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2022-31259
**DESCRIPTION:**Beego could allow a remote attacker to bypass security restrictions, caused by a flaw in the route lookup process. By appending .xml in /p1/p2/:name routes, an attacker could exploit this vulnerability to access routes that they otherwise cannot access.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/227145 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.

Upgrade to 2.8.0 - see README for upgrade instructions.

Workarounds and Mitigations

NA