CVE-2024-52363

Medium

Published: 17 January 2025

Published

17 January 2025

Modified

11 March 2025

KEV Added

—

Patch

—

CVSS Score 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0006 17.3th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

IBM InfoSphere Information Server 11.7 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system.

Security Summary

CVE-2024-52363 is a directory traversal vulnerability (CWE-22) in IBM InfoSphere Information Server 11.7. Published on 2025-01-17, it enables a remote attacker to navigate directories on the system by sending a specially crafted URL request with "dot dot" sequences (/../), allowing access to arbitrary files.

The vulnerability carries a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). A remote attacker with low privileges can exploit it over the network with low complexity and no user interaction required, resulting in high confidentiality impact through unauthorized file disclosure, while integrity and availability remain unaffected.

IBM has issued an advisory at https://www.ibm.com/support/pages/node/7176515 detailing the issue, where practitioners can review recommended patches and mitigation guidance.

Details

CWE(s): CWE-22

Affected Products

ibm

infosphere information server

11.7

References

https://www.ibm.com/support/pages/node/7176515
Vendor Advisory · psirt@us.ibm.com