CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
15.5%
A vulnerability has been identified in Google Guava, which is used in IBM Engineering Lifecycle Management - IBM Jazz. This bulletin contains information regarding vulnerabilities and remediation actions.
CVEID:CVE-2023-2976
**DESCRIPTION:**Google Guava could allow a local authenticated attacker to obtain sensitive information, caused by a flaw with using Java’s default temporary directory for file creation in FileBackedOutputStream. By sending a specially crafted request, an attacker could exploit this vulnerability to access the files in the default Java temporary directory, and use this information to launch further attacks against the affected system.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258199 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
Affected Product(s) | Version(s) |
---|---|
Jazz Foundation | 7.0.2 and below |
Jazz Foundation | 7.0.3 |
Adopted new Google Guava 32.1.2 version
STEPS TO APPLY THE REMEDIATION:
Advising users who are on ELM 7.0, 7.0.1 or any other version below 7.0.2 to upgrade your products to Maintenance release 7.0.2 version as these products have reached end of life. Optionally, upgrade to the latest 7.0.3 version and apply below fix.
Affected Product(s) | Version(s) | Remediation/Fix/Instructions |
---|---|---|
Jazz Foundation | 7.0.2 | Download and install iFix029 or later |
Jazz Foundation | 7.0.3 | Download and install iFix002 or later |
None
Vendor | Product | Version | CPE |
---|---|---|---|
ibm | ibm_engineering_lifecycle_management_base | 7.0.2 | cpe:2.3:a:ibm:ibm_engineering_lifecycle_management_base:7.0.2:*:*:*:*:*:*:* |
ibm | ibm_engineering_lifecycle_management_base | 7.0.3 | cpe:2.3:a:ibm:ibm_engineering_lifecycle_management_base:7.0.3:*:*:*:*:*:*:* |
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
15.5%