Login Sign Up

CVE-2021-20354

7.5 HIGH

📋 TL;DR

CVE-2021-20354 is a directory traversal vulnerability in IBM WebSphere Application Server that allows remote attackers to read arbitrary files on the system by sending specially crafted URL requests containing directory traversal sequences. This affects IBM WebSphere Application Server versions 8.0, 8.5, and 9.0.

💻 Affected Systems

Products:
  • IBM WebSphere Application Server
Versions: 8.0, 8.5, 9.0
Operating Systems: All supported platforms
Default Config Vulnerable: ⚠️ Yes
Notes: All deployments of affected versions are vulnerable by default.

📦 What is this software?

Websphere Application Server by Ibm

View all CVEs affecting Websphere Application Server →

Websphere Application Server by Ibm

View all CVEs affecting Websphere Application Server →

Websphere Application Server by Ibm

View all CVEs affecting Websphere Application Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could read sensitive system files including configuration files, credentials, and application source code, potentially leading to complete system compromise.

🟠

Likely Case

Attackers would read configuration files and sensitive data, enabling further attacks like credential theft and privilege escalation.

🟢

If Mitigated

With proper network segmentation and access controls, impact would be limited to reading non-sensitive files within the WebSphere directory.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires only HTTP requests with directory traversal sequences.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply Interim Fix PI99848 or later cumulative fix

Vendor Advisory: https://www.ibm.com/support/pages/node/6415959

Restart Required: Yes

Instructions:

1. Download the appropriate interim fix from IBM Fix Central. 2. Stop all WebSphere servers. 3. Apply the fix using IBM Installation Manager. 4. Restart all servers.

🔧 Temporary Workarounds

URL Filtering

all

Configure web server or application firewall to block requests containing directory traversal sequences

File System Permissions

linux

Restrict WebSphere process permissions to limit accessible directories

chmod 750 /path/to/sensitive/directories
chown wasadmin:wasgroup /path/to/websphere

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate WebSphere servers from sensitive systems
  • Deploy web application firewall with directory traversal protection rules

🔍 How to Verify

Check if Vulnerable:

Test by sending HTTP request with directory traversal sequences to WebSphere server and checking for file disclosure

Check Version:

$WAS_HOME/bin/versionInfo.sh

Verify Fix Applied:

Verify interim fix PI99848 is installed and test that directory traversal requests no longer return file contents

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests containing '/../' patterns in access logs
  • Unusual file access patterns from WebSphere process

Network Indicators:

  • HTTP requests with multiple directory traversal sequences
  • Responses containing file contents that shouldn't be accessible

SIEM Query:

source="websphere_access.log" AND "%2F..%2F" OR "/../"

📊 Metadata

CVE ID: CVE-2021-20354
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-22
Published: February 18, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-20354, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)