Security Bulletin: Vulberability in Apache commons io library affects IBM Engineering Test Management (ETM) (CVE-2021-29425)

Summary

This Security Vulnerablity has been addressed in IBM Engineering Test Management. A fix is available to address the vulnerability.

Vulnerability Details

CVEID:CVE-2021-29425
**DESCRIPTION:**Apache Commons IO could allow a remote attacker to traverse directories on the system, caused by improper input validation by the FileNameUtils.normalize method. An attacker could send a specially-crafted URL request containing “dot dot” sequences (/…/) to view arbitrary files on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/199852 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by upgrading and applying the suggested fix that uses upgraded version of Apache commons io library.

Suggested :

Product(s)|**Version(s)
**|Remediation/Fix/Instructions
—|—|—
Engineering Test Management | 7.0.1|

Download and apply ETM 7.0.2 iFix21 from Fix Central here

Engineering Test Management | 7.0.2| Download and apply ETM 7.0.3 iFix22 from Fix Central here

Workarounds and Mitigations

None