IBM67E7025B20476E378FB9C1A1E99B76B29D0C6932BB16370C49B469A757C55C2ASecurity Bulletin: Security vulnerability has been identified in IBM License Metric Tool v9.
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
35.2%
Summary
IBM License Metric Tool could allow a remote attacker to get read access to ‘/WEB-INF’ folder on the ILMT server. This bulletin identifies the security fixes to apply to address the vulnerability.
Vulnerability Details
CVEID:CVE-2023-43044
**DESCRIPTION:**IBM License Metric Tool could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing “dot dot” sequences (/…/) to view arbitrary files on the system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/266893 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM License Metric Tool | All |
Remediation/Fixes
Upgrade ILMT Server to version 9.2.33 or later using the following procedure:
<https://www.ibm.com/docs/en/license-metric-tool?topic=tool-upgrading-latest-version>.
Workarounds and Mitigations
None
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| ibm | license_metric_tool | 9.2 | cpe:2.3:a:ibm:license_metric_tool:9.2:*:*:*:*:*:*:* |
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
35.2%