Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
4DescriptionCVE.org
IBM Guardium Data Protection 12.1 could allow an administrative user to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to write arbitrary files on the system.
AnalysisAI
Arbitrary file write vulnerability in IBM Guardium Data Protection 12.1 allows authenticated administrative users to traverse directories and write files to arbitrary locations via specially crafted URLs containing path traversal sequences (/../). The vulnerability requires high-privilege admin credentials and network access but results in integrity compromise without requiring user interaction, making it a post-authentication privilege abuse risk for organizations running this data protection platform.
Technical ContextAI
The vulnerability exploits improper input validation in URL handling within Guardium Data Protection's web interface. The underlying issue is a path traversal flaw (CWE-22) where the application fails to sanitize or canonicalize user-supplied file paths before processing directory operations. Attackers can inject directory traversal sequences (dot-dot-slash patterns: /../) to escape intended directory boundaries and access the broader filesystem. This type of flaw commonly occurs in web applications and APIs that construct file paths dynamically from user input without proper validation against directory escape attempts. The CPE context indicates this affects IBM Guardium Data Protection version 12.1 specifically.
RemediationAI
Apply the vendor-released patch from IBM PSIRT as documented at https://www.ibm.com/support/pages/node/7270422. Upgrade IBM Guardium Data Protection 12.1 to the patched maintenance release specified in that advisory. If patching cannot be immediately deployed, implement compensating controls: restrict network access to the Guardium administrative interface to trusted IP ranges or VPN gateways only, use a reverse proxy or WAF with path traversal detection rules to block requests containing /../ sequences, disable administrative web interface if it is not actively required and use alternative administration methods (CLI, out-of-band management), and implement robust audit logging and alerting on administrative file operations to detect exploitation attempts. Each control has trade-offs: network segmentation may limit legitimate remote administration, WAF rules require careful tuning to avoid false positives, interface disablement reduces operational flexibility, and logging increases storage overhead but provides forensic value.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25132
GHSA-88m7-mxf9-v644