Security Bulletin: Vulnerability in beego affects Cloud Pak System [CVE-2022-31836]

Summary

Vulnerability in beego affects Cloud Pak System. IBM Cloud Pak System addrressed vulnerability.

Vulnerability Details

CVEID:CVE-2022-31836
**DESCRIPTION:**Beego could allow a remote attacker to traverse directories on the system, caused by a flaw in the leafInfo.match() function. An attacker could send a specially-crafted URL request containing “dot dot” sequences (/…/) in parameter to view arbitrary files on the system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/230469 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

For unsupported version/release/platform IBM recommends upgrading to a fixed, supported /release/platform of the product.

The recommended solution is to apply the fix reported below as soon as practical.

For IBM Cloud Pak System v2.3.1.1, v2.3.2.0 for Power
upgrade to Cloud Pak System v2.3.3.7 , then apply Cloud Pak System v2.3.3.7 Interim Fix 1

Information on upgrading to Cloud Pak System v.2.3.3.7 for Power at <https://www.ibm.com/support/pages/node/6982511&gt;

For Cloud Pak System V2.3.3.7, apply Cloud Pak System V2.3.3.7 Interim Fix 1.

Information on upgrading to Cloud Pak System v.2.3.3.7 Interim Fix at <http://www.ibm.com/support/docview.wss?uid=ibm10887959&gt;

Workarounds and Mitigations

None