CVE-2019-4400

Summary

IBM Cloud Orchestrator 2.4 through 2.4.0.5 and 2.5 through 2.5.0.9 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 162261.

Affected Software

VendorProductVersion RangeStatus
IBMCloud Orchestrator2.4affected
IBMCloud Orchestrator2.4.0.1affected
IBMCloud Orchestrator2.4.0.2affected
IBMCloud Orchestrator2.5affected
IBMCloud Orchestrator2.5.0.1affected
IBMCloud Orchestrator2.4.0.3affected
IBMCloud Orchestrator2.5.0.2affected
IBMCloud Orchestrator2.4.0.4affected
IBMCloud Orchestrator2.5.0.3affected
IBMCloud Orchestrator2.5.0.4affected
IBMCloud Orchestrator2.4.0.5affected
IBMCloud Orchestrator2.5.0.5affected
IBMCloud Orchestrator2.5.0.6affected
IBMCloud Orchestrator2.5.0.7affected
IBMCloud Orchestrator2.5.0.8affected
IBMCloud Orchestrator2.5.0.9affected

Weaknesses

  • Obtain Information

ADP Enrichment

CVE Program Container

Additional References

References