CVE-2022-40608

Name of the Vulnerable Software and Affected Versions IBM Spectrum Protect Plus versions 10.1.6 through 10.1.11 Microsoft File Systems version (affected versions not specified)

Description The issue is related to the backup and restore functionality of Microsoft File Systems in IBM Spectrum Protect Plus, where an incorrect restriction of a directory path with limited access can be exploited. This can allow a remote attacker to disclose protected information by manipulating the URL with a directory traversal attack, gaining access to files that the operator should not have access to.

Recommendations For IBM Spectrum Protect Plus versions 10.1.6 through 10.1.11, consider restricting access to the restore operation until a patch is available. As a temporary workaround, avoid using the restore operation with manipulated URLs to minimize the risk of exploitation. Restrict access to sensitive files on the target machine to prevent unauthorized access. At the moment, there is no information about a newer version that contains a fix for this vulnerability.