Login Sign Up

CVE-2021-20517

8.8 HIGH

📋 TL;DR

This vulnerability in IBM WebSphere Application Server Network Deployment allows authenticated remote attackers to perform directory traversal attacks using specially crafted URLs containing 'dot dot' sequences (/../). Attackers can read and delete arbitrary files on the system. Affects versions 8.5 and 9.0 of IBM WebSphere Application Server Network Deployment.

💻 Affected Systems

Products:
  • IBM WebSphere Application Server Network Deployment
Versions: 8.5 and 9.0
Operating Systems: All supported platforms
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated access to exploit. All configurations of affected versions are vulnerable.

📦 What is this software?

Websphere Application Server Nd by Ibm

View all CVEs affecting Websphere Application Server Nd →

Websphere Application Server Nd by Ibm

View all CVEs affecting Websphere Application Server Nd →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through reading sensitive files (passwords, keys, configuration) and deleting critical system files causing service disruption or system failure.

🟠

Likely Case

Data exfiltration of sensitive application data, configuration files, or credentials stored on the server filesystem.

🟢

If Mitigated

Limited impact if proper file permissions and access controls restrict what authenticated users can access.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Directory traversal is a well-understood attack pattern. Requires authenticated access but is trivial to exploit once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply Interim Fix PI99821 or later cumulative fix

Vendor Advisory: https://www.ibm.com/support/pages/node/6456955

Restart Required: Yes

Instructions:

1. Download the appropriate interim fix from IBM Fix Central. 2. Stop all WebSphere servers. 3. Apply the fix using IBM Installation Manager. 4. Restart all WebSphere servers. 5. Verify the fix is applied.

🔧 Temporary Workarounds

Restrict URL patterns

all

Configure web server or application firewall to block URLs containing directory traversal sequences

Implement strict file permissions

all

Restrict file system permissions to limit what the WebSphere process can access

🧯 If You Can't Patch

  • Implement network segmentation to restrict access to WebSphere servers
  • Deploy web application firewall with directory traversal protection rules

🔍 How to Verify

Check if Vulnerable:

Check WebSphere version via administrative console or versionInfo.sh script

Check Version:

./versionInfo.sh (on Linux/Unix) or versionInfo.bat (on Windows)

Verify Fix Applied:

Verify interim fix PI99821 or later is installed via IBM Installation Manager or versionInfo.sh

📡 Detection & Monitoring

Log Indicators:

  • URL requests containing /../ patterns in access logs
  • Unauthorized file access attempts in system logs

Network Indicators:

  • HTTP requests with encoded directory traversal sequences (%2e%2e%2f, ..%2f)

SIEM Query:

source="websphere_access.log" AND (url="*../*" OR url="*..%2f*")

📊 Metadata

CVE ID: CVE-2021-20517
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-22
Published: June 7, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-20517, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)