CVE-2021-38892

Name of the Vulnerable Software and Affected Versions IBM Planning Analytics versions 2.0 IBM Planning Analytics Workspace versions 2.0

Description The issue is related to incorrect restriction of a directory path with limited access. Exploitation may allow a remote attacker to execute arbitrary code. A remote threat actor can access a valid endpoint without prior authentication, allowing them to read and write files to the system, potentially leading to path traversal and remote code execution, depending on file system permissions.

Recommendations For IBM Planning Analytics version 2.0, consider restricting access to the DQM API to prevent unauthenticated sessions. For IBM Planning Analytics Workspace version 2.0, restrict access to the DQM API to minimize the risk of exploitation. As a temporary workaround, consider disabling the DQM API until a patch is available.