Path traversal in IBM WebSphere Application Server
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2018-1797 |
| CWE-ID | CWE-22 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software Subscribe |
IBM WebSphere Application Server Server applications / Application servers |
| Vendor | IBM Corporation |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Path traversal
EUVDB-ID: #VU15918
Risk: Low
CVSSv3.1: 5.5 [CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-1797
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to conduct directory traversal attack.
The vulnerability exists due to improper validation of user-supplied input on systems that have an Enterprise Bundle Archive (EBA) installed and with a path external to the EBA. A remote attacker can trick the victim into extracting a specially crafted ZIP archive containing 'dot dot slash' sequences that, when executed, will write arbitrary files on the target system.
Note: This vulnerability is known as "Zip-Slip".
Install update from vendor's website.
Vulnerable software versionsIBM WebSphere Application Server: 7.0 - 9.0.0.9
External linkshttp://www-01.ibm.com/support/docview.wss?uid=ibm10730699
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
