Lucene search

IBM1BB697F80C56F800F6DA0087921CCC2A0D7CFDE3962E066EF5358B5C1665432D

HistoryJul 13, 2022 - 8:20 a.m.

Security Bulletin: IBM Engineering Lifecycle Optimization - Publishing is vulnerable to Host Header Injection (CVE-2021-39028)

2022-07-1308:20:29

www.ibm.com

ibm engineering lifecycle optimization

publishing

host header injection

cve-2021-39028

vulnerability

http header injection

cross-site scripting

cache poisoning

session hijacking

cvss

ifix016

ifix017

ifix013

rpe 6.0.6

rpe 6.0.6.1

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

19.6%

JSON

Summary

IBM Engineering Lifecycle Optimization - Publishing is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. CVE-2021-39028.

Vulnerability Details

CVEID:CVE-2021-39028
**DESCRIPTION:**IBM Engineering Lifecycle Optimization - Publishing is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/213866 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
PUB	7.0.1
PUB	7.0.2
RPE	6.0.6
RPE	6.0.6.1
PUB	7.0

Remediation/Fixes

For IBM Publishing 7.0, upgrade to ifix016 or later, which can be downloaded from:
IBM Publishing 7.0 iFix016

For IBM Publishing 7.0.1, upgrade to ifix017 or later, which can be downloaded from:
IBM Publishing 7.0.1 iFix017

For IBM Publishing 7.0.2, upgrade to ifix013 or later, which can be downloaded from:
IBM Publishing 7.0.2 iFix013

For RPE 6.0.6 and 6.0.6.1, upgrade to latest 7.0.2 iFix13 or later, which can be downloaded from IBM Publishing 7.0.2 iFix013

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmengineering_lifecycle_optimization_-_publishingMatch6.0.6

ibmengineering_lifecycle_optimization_-_publishingMatch6.0.6.1

ibmengineering_lifecycle_optimization_-_publishingMatch7.0

ibmengineering_lifecycle_optimization_-_publishingMatch7.0.1

ibmengineering_lifecycle_optimization_-_publishingMatch7.0.2

VendorProductVersionCPE
ibmengineering_lifecycle_optimization_-_publishing6.0.6cpe:2.3:a:ibm:engineering_lifecycle_optimization_-_publishing:6.0.6:*:*:*:*:*:*:*
ibmengineering_lifecycle_optimization_-_publishing6.0.6.1cpe:2.3:a:ibm:engineering_lifecycle_optimization_-_publishing:6.0.6.1:*:*:*:*:*:*:*
ibmengineering_lifecycle_optimization_-_publishing7.0cpe:2.3:a:ibm:engineering_lifecycle_optimization_-_publishing:7.0:*:*:*:*:*:*:*
ibmengineering_lifecycle_optimization_-_publishing7.0.1cpe:2.3:a:ibm:engineering_lifecycle_optimization_-_publishing:7.0.1:*:*:*:*:*:*:*
ibmengineering_lifecycle_optimization_-_publishing7.0.2cpe:2.3:a:ibm:engineering_lifecycle_optimization_-_publishing:7.0.2:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	engineering_lifecycle_optimization_-_publishing	6.0.6	cpe:2.3:a:ibm:engineering_lifecycle_optimization_-_publishing:6.0.6:::::::*
ibm	engineering_lifecycle_optimization_-_publishing	6.0.6.1	cpe:2.3:a:ibm:engineering_lifecycle_optimization_-_publishing:6.0.6.1:::::::*
ibm	engineering_lifecycle_optimization_-_publishing	7.0	cpe:2.3:a:ibm:engineering_lifecycle_optimization_-_publishing:7.0:::::::*
ibm	engineering_lifecycle_optimization_-_publishing	7.0.1	cpe:2.3:a:ibm:engineering_lifecycle_optimization_-_publishing:7.0.1:::::::*
ibm	engineering_lifecycle_optimization_-_publishing	7.0.2	cpe:2.3:a:ibm:engineering_lifecycle_optimization_-_publishing:7.0.2:::::::*