First published: Fri Feb 21 2020(Updated: )
This vulnerability allows remote attackers to execute arbitrary code on affected installations of IBM Spectrum Protect Plus. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Administrative Console Framework service. When parsing the hostname parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root.
Credit: psirt@us.ibm.com
Affected Software | Affected Version | How to fix |
---|---|---|
IBM Spectrum Protect Plus | ||
IBM Spectrum Protect Plus | <=10.1.0-10.1.5 | |
IBM Spectrum Protect | >=10.1.0<10.1.5 | |
IBM Spectrum Protect | =10.1.5 | |
Linux Linux kernel |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2020-4211.
The severity of CVE-2020-4211 is critical with a CVSS score of 9.8.
The affected software is IBM Spectrum Protect Plus version 10.1.0 to 10.1.5.
No, authentication is not required to exploit CVE-2020-4211.
To fix CVE-2020-4211, apply the necessary patches and updates provided by IBM.