CVE-2020-4222

Name of the Vulnerable Software and Affected Versions IBM Spectrum Protect Plus versions 10.1.0 through 10.1.5

Description The issue is related to the failure to neutralize special elements in user-input strings during password parameter syntax analysis in the Administrative Console Framework service of IBM Spectrum Protect Plus. This can be exploited by a remote attacker using a specially crafted HTTP command to execute arbitrary code on the system.

Recommendations For IBM Spectrum Protect Plus versions 10.1.0 through 10.1.5, consider restricting access to the password parameter in the affected service until a patch is available. As a temporary workaround, avoid using specially crafted HTTP commands that could exploit this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.