Vulnerability identifier: #VU26557
Vulnerability risk: High
CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-20
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
IBM Spectrum Protect Plus
Server applications /
Other server solutions
Vendor: IBM Corporation
Description
The vulnerability allows a remote attacker to delete arbitrary directories.
The vulnerability exists due to insufficient validation of user-supplied input via "cleanupUpdateImage" in the Administrative Console Framework service. A remote attacker can pass specially crafted input to the application and delete arbitrary directories on the target system.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
IBM Spectrum Protect Plus: 10.1.0.0 - 10.1.5.0
External links
http://exchange.xforce.ibmcloud.com/vulnerabilities/175026
http://www.ibm.com/support/pages/node/6114130
http://www.zerodayinitiative.com/advisories/ZDI-20-343/
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.