CVE-2020-4430

CVSS 4.3 MEDIUMEPSS 68.5%● KEVCWE-22

In short

IBM Data Risk Manager allows authenticated users to download any file from the server by crafting special URLs that bypass directory restrictions. This lets attackers access sensitive files they shouldn't be able to reach.

Technical detail

Path traversal vulnerability in IBM Data Risk Manager 2.0.1-2.0.4 allows authenticated attackers to bypass directory restrictions and download arbitrary files via specially-crafted URL requests. Attack requires valid authentication credentials; impact includes unauthorized access to sensitive system files.

Summary generated and translated by AI from the official description.

IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, and 2.0.4 could allow a remote authenticated attacker to traverse directories on the system. An attacker could send a specially-crafted URL request to download arbitrary files from the system. IBM X-Force ID: 180535.

CVSS:3.0/S:U/AV:N/A:N/AC:L/C:L/PR:L/UI:N/I:N/E:U/RC:C/RL:O

Affected products

IBM · Data Risk Manager

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://seclists.org/fulldisclosure/2024/Nov/0 http://seclists.org/fulldisclosure/2024/Nov/1 https://exchange.xforce.ibmcloud.com/vulnerabilities/180535 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-4430 https://www.ibm.com/support/pages/node/6206875