This bulletin describes a variety of noncritical security issues that have been found and fixed in WebSphere Service Registry and Repository version 8.5.
CVE ID: CVE-2014-6153
DESCRIPTION: WSRR WEBUI ISSUES A COOKIE WHICH IS NOT DECLARED SSL ONLY.
CVSS
CVSS Base Score: 2.6
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/97622> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)
CVE ID: CVE-2014-6132
DESCRIPTION: DOM BASED CROSS-SITE SCRIPTING VULNERABILITY IN WSRR WEB UI
CVSS
CVSS Base Score: 3.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/96812> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CVE ID: CVE-2014-6155
DESCRIPTION: PATH TRAVERSAL VULNERABILITIES IN SERVICEREGISTRY UI
CVSS
CVSS Base Score: 4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/97678> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CVE ID: CVE-2014-6160
DESCRIPTION: USER REMAINS LOGGED INTO SERVICEREGISTRYDASHBOARD WHEN USING WEBSEAL AND CHROME
CVSS
CVSS Base Score: 2.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/97709> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:N/I:P/A:N)
WSRR 8.5
CVE
| APAR|Remediation/First Fix
—|—|—
CVE-2014-6153| IV64010| Install WSRR Fix Pack 8.5.0.1
CVE-2014-6132| IV64000| Install WSRR Fix Pack 8.5.0.1
CVE-2014-6155| IV63585| Install WSRR Fix Pack 8.5.0.1
CVE-2014-6160| IV63498| Install WSRR Fix Pack 8.5.0.1