IBM Cloud Pak System Directory Traversal Vulnerability Allowing Arbitrary File Access

A directory traversal vulnerability has been identified in IBM Cloud Pak System versions 2.3.3.6, 2.3.3.6 iFix1, 2.3.3.6 iFix2, 2.3.3.7, 2.3.3.7 iFix1, and 2.3.4.0. This vulnerability could allow remote attackers to traverse directories on the system by sending specially crafted URL requests that include 'dot dot' sequences. Exploitation of this vulnerability could lead to unauthorized access to arbitrary files on the system.

Impact

Exploitation of this vulnerability could result in unauthorized access to sensitive files on the system, potentially leading to further attacks.

Remediation

Users of IBM Cloud Pak System on Intel should upgrade to version 2.3.4.1, available through IBM Fix Central. For Power users, version 2.3.5.0 is recommended, also available through IBM Fix Central/Passport Advantage Online. Instructions for upgrading can be found on the IBM Support website.