CVE-2021-20517 - OpenCVE

IBM WebSphere Application Server Network Deployment 8.5 and 9.0 could allow a remote authenticated attacker to traverse directories. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to read and delete arbitrary files on the system. IBM X-Force ID: 198435.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact High

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Ibm	Websphere Application Server Nd

Configuration 1 [-]

OR	cpe:2.3:a:ibm:websphere_application_server_nd::::::::
	cpe:2.3:a:ibm:websphere_application_server_nd::::::::

No data.

References

Link	Providers
https://exchange.xforce.ibmcloud.com/vulnerabilities/198435
https://www.ibm.com/support/pages/node/6456955

History

No history.

MITRE

Status: PUBLISHED

Assigner: ibm

Published: 2021-06-07T14:05:14.362094Z

Updated: 2024-09-17T02:36:50.637Z

Reserved: 2020-12-17T00:00:00

Link: CVE-2021-20517

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-06-07T14:15:07.767

Modified: 2021-06-10T18:02:45.153

Link: CVE-2021-20517

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "WebSphere Application Server ND", "vendor": "IBM", "versions": [{"status": "affected", "version": "8.5"}, {"status": "affected", "version": "9.0"}]}], "datePublic": "2021-05-27T00:00:00", "descriptions": [{"lang": "en", "value": "IBM WebSphere Application Server Network Deployment 8.5 and 9.0 could allow a remote authenticated attacker to traverse directories. An attacker could send a specially-crafted URL request containing \"dot dot\" sequences (/../) to read and delete arbitrary files on the system. IBM X-Force ID: 198435."}], "metrics": [{"cvssV3_0": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "exploitCodeMaturity": "UNPROVEN", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "remediationLevel": "OFFICIAL_FIX", "reportConfidence": "CONFIRMED", "scope": "UNCHANGED", "temporalScore": 5.6, "temporalSeverity": "MEDIUM", "userInteraction": "NONE", "vectorString": "CVSS:3.0/UI:N/A:L/C:L/I:H/AV:N/AC:H/S:U/PR:L/RL:O/E:U/RC:C", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"description": "File Manipulation", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-06-07T14:05:14", "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.ibm.com/support/pages/node/6456955"}, {"name": "ibm-websphere-cve202120517-dir-traversal (198435)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/198435"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@us.ibm.com", "DATE_PUBLIC": "2021-05-27T00:00:00", "ID": "CVE-2021-20517", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "WebSphere Application Server ND", "version": {"version_data": [{"version_value": "8.5"}, {"version_value": "9.0"}]}}]}, "vendor_name": "IBM"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "IBM WebSphere Application Server Network Deployment 8.5 and 9.0 could allow a remote authenticated attacker to traverse directories. An attacker could send a specially-crafted URL request containing \"dot dot\" sequences (/../) to read and delete arbitrary files on the system. IBM X-Force ID: 198435."}]}, "impact": {"cvssv3": {"BM": {"A": "L", "AC": "H", "AV": "N", "C": "L", "I": "H", "PR": "L", "S": "U", "UI": "N"}, "TM": {"E": "U", "RC": "C", "RL": "O"}}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "File Manipulation"}]}]}, "references": {"reference_data": [{"name": "https://www.ibm.com/support/pages/node/6456955", "refsource": "CONFIRM", "title": "IBM Security Bulletin 6456955 (WebSphere Application Server ND)", "url": "https://www.ibm.com/support/pages/node/6456955"}, {"name": "ibm-websphere-cve202120517-dir-traversal (198435)", "refsource": "XF", "title": "X-Force Vulnerability Report", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/198435"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T17:45:44.235Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.ibm.com/support/pages/node/6456955"}, {"name": "ibm-websphere-cve202120517-dir-traversal (198435)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/198435"}]}]}, "cveMetadata": {"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "assignerShortName": "ibm", "cveId": "CVE-2021-20517", "datePublished": "2021-06-07T14:05:14.362094Z", "dateReserved": "2020-12-17T00:00:00", "dateUpdated": "2024-09-17T02:36:50.637Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ibm:websphere_application_server_nd:*:*:*:*:*:*:*:*", "matchCriteriaId": "0983B3A1-AFE5-4E82-9A3C-AA06BFE02BE8", "versionEndExcluding": "8.5.5.20", "versionStartIncluding": "8.5.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:websphere_application_server_nd:*:*:*:*:*:*:*:*", "matchCriteriaId": "B45D54C7-E306-47A5-856F-5B39CD1470E3", "versionEndExcluding": "9.0.5.8", "versionStartIncluding": "9.0.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "IBM WebSphere Application Server Network Deployment 8.5 and 9.0 could allow a remote authenticated attacker to traverse directories. An attacker could send a specially-crafted URL request containing \"dot dot\" sequences (/../) to read and delete arbitrary files on the system. IBM X-Force ID: 198435."}, {"lang": "es", "value": "IBM WebSphere Application Server Network Deployment versiones 8.5 y 9.0, podr\u00eda permitir a un atacante remoto autenticado saltar directorios. Un atacante podr\u00eda enviar una petici\u00f3n de URL especialmente dise\u00f1ada conteniendo secuencias de \"dot dot\" (/../) para leer y eliminar archivos arbitrarios en el sistema. IBM X-Force ID: 198435"}], "id": "CVE-2021-20517", "lastModified": "2021-06-10T18:02:45.153", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L", "version": "3.0"}, "exploitabilityScore": 1.6, "impactScore": 4.7, "source": "psirt@us.ibm.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-06-07T14:15:07.767", "references": [{"source": "psirt@us.ibm.com", "tags": ["VDB Entry", "Vendor Advisory"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/198435"}, {"source": "psirt@us.ibm.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.ibm.com/support/pages/node/6456955"}], "sourceIdentifier": "psirt@us.ibm.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}