Vulnerability Details : CVE-2018-1656
The IBM Java Runtime Environment's Diagnostic Tooling Framework for Java (DTFJ) (IBM SDK, Java Technology Edition 6.0 , 7.0, and 8.0) does not protect against path traversal attacks when extracting compressed dump files. IBM X-Force ID: 144882.
Vulnerability category: Directory traversal
Products affected by CVE-2018-1656
- cpe:2.3:a:ibm:sdk:8.0:*:*:*:java_technology:*:*:*
- cpe:2.3:a:ibm:sdk:7.0:*:*:*:java_technology:*:*:*
- cpe:2.3:a:ibm:sdk:6.0:*:*:*:java_technology:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:satellite:5.6:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:satellite:5.7:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:satellite:5.8:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:enterprise_manager_base_platform:13.2.0.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3.0.0.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-1656
1.40%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 86 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-1656
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST | |
6.5
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |
2.8
|
3.6
|
NIST | |
7.4
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N |
2.8
|
4.0
|
IBM Corporation |
CWE ids for CVE-2018-1656
-
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-1656
-
https://access.redhat.com/errata/RHSA-2018:2575
RHSA-2018:2575 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:2712
RHSA-2018:2712 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://www.ibm.com/support/docview.wss?uid=ibm10719653
IBM Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java™ Technology EditionVendor Advisory
-
https://access.redhat.com/errata/RHSA-2018:2569
RHSA-2018:2569 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
Oracle Critical Patch Update - April 2019Patch;Third Party Advisory
-
http://www.securitytracker.com/id/1041765
IBM SPSS Statistics Bugs in Java Components Let Remote Users Modify Files and Local Users Gain Elevated Privileges - SecurityTrackerThird Party Advisory;VDB Entry
-
https://access.redhat.com/errata/RHSA-2018:2713
RHSA-2018:2713 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:2568
RHSA-2018:2568 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://www.securityfocus.com/bid/105118
IBM Java SDK CVE-2018-1656 Directory Traversal VulnerabilityThird Party Advisory;VDB Entry
-
https://access.redhat.com/errata/RHSA-2018:2576
RHSA-2018:2576 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/144882
IBM Java Runtime Environment's Diagnostic Tooling Framework for Java file overwrite CVE-2018-1656 Vulnerability ReportVDB Entry;Vendor Advisory
Jump to