CVE-2013-3993
Published: 07 July 2014
Summary
CVE-2013-3993 is a medium-severity Path Traversal (CWE-22) vulnerability in Ibm Infosphere Biginsights. Its CVSS base score is 6.5 (Medium).
Operationally, ranked in the top 3.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
IBM InfoSphere BigInsights versions prior to 2.1.0.3 contain a path traversal vulnerability tracked as CVE-2013-3993 and assigned CWE-22. The flaw resides in unspecified API calls that accept crafted parameters, enabling improper access to files and directories outside intended boundaries.
Remote authenticated users can exploit the issue over the network with low attack complexity to bypass file and directory restrictions or retrieve untrusted data and code. The CVSS 3.1 score of 6.5 reflects high confidentiality impact without requiring user interaction.
IBM advisory swg21677445 and related Secunia entries direct administrators to upgrade to BigInsights 2.1.0.3 or later to address the exposure. No public reports of in-the-wild exploitation appear in the referenced sources.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2013-3925
Vulnerability details
IBM InfoSphere BigInsights before 2.1.0.3 allows remote authenticated users to bypass intended file and directory restrictions, or access untrusted data or code, via crafted parameters in unspecified API calls.
- CWE(s)
- KEV Date Added
- 25 May 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces intended file and directory access restrictions that the path-traversal API calls bypass.
Validates API parameters to block crafted inputs that enable path traversal outside authorized boundaries.
Enforces information-flow rules that would otherwise allow unauthorized retrieval of files, directories, or untrusted code.