Cyber Resilience

CVE-2020-4430

MediumCISA KEVActive ExploitationEUVD Exploited

Published: 07 May 2020

Published
07 May 2020
Modified
14 January 2026
KEV Added
03 November 2021
Patch
CVSS Score v3.1 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.8378 99.3th percentile
Risk Priority 79 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-4430 is a medium-severity Path Traversal (CWE-22) vulnerability in Ibm Data Risk Manager. Its CVSS base score is 4.3 (Medium).

Operationally, ranked in the top 0.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

IBM Data Risk Manager versions 2.0.1, 2.0.2, 2.0.3, and 2.0.4 contain a directory traversal vulnerability tracked as CVE-2020-4430 and CWE-22. The flaw permits a remote authenticated attacker to submit a specially crafted URL that traverses directories and downloads arbitrary files from the underlying system. It received a CVSS v3.1 base score of 4.3, reflecting network attack vector, low complexity, and limited impact confined to confidentiality.

An authenticated remote attacker can exploit the issue by crafting malicious URL requests to the affected application, enabling unauthorized retrieval of files stored outside the intended web-accessible directories without requiring user interaction.

IBM has published an advisory at https://www.ibm.com/support/pages/node/6206875 addressing the vulnerability, and additional details appear in X-Force and full-disclosure mailing list references.

EU & UK References

Vulnerability details

IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, and 2.0.4 could allow a remote authenticated attacker to traverse directories on the system. An attacker could send a specially-crafted URL request to download arbitrary files from the system. IBM X-Force ID: 180535.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

ibm
data risk manager
2.0.1 — 2.0.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces access control policies to block unauthorized retrieval of files outside intended directories via crafted URL requests.

prevent

Validates URL inputs to reject path traversal sequences (../) that enable arbitrary file downloads.

prevent

Enforces information flow rules to stop unauthorized exfiltration of files from restricted system paths.

References