Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM2675EB03B2C89E852796FB63153AA0928EDF72A186233EF534E0DBB8339ADAC0
HistoryApr 28, 2021 - 6:35 p.m.

Security Bulletin: Multiple vulnerabilities in IBM Jazz Team Server affect IBM Rational products based on IBM Jazz technology

2021-04-2818:35:50
www.ibm.com
11
ibm jazz team server
ibm rational products
cross-site scripting
information leakage
denial of service

EPSS

0.014

Percentile

86.3%

JSON

Summary

Multiple vulnerabilities in the IBM Jazz Team Server affecting the following IBM Rational Products: Collaborative Lifecycle Management (CLM), Rational DOORS Next Generation (RDNG), Rational Engineering Lifecycle Manager (RELM), Rational Team Concert (RTC), Rational Quality Manager (RQM), Rational Rhapsody Design Manager (Rhapsody DM), and Rational Software Architect (RSA DM).

Vulnerability Details

CVEID: CVE-2017-1164**
DESCRIPTION:** IBM Jazz Foundation is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/123036 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

CVEID: CVE-2017-1169**
DESCRIPTION:** IBM DOORS Next Generation( DNG/RRC) is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/123188 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

CVEID: CVE-2017-1241**
DESCRIPTION:** An undisclosed vulnerability in IBM Jazz based applications might allow the display of stack trace information to an attacker.
CVSS Base Score: 3.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/124523 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2017-5644**
DESCRIPTION:** Apache POI is vulnerable to a denial of service, cause by an XML External Entity Injection (XXE) error when processing XML data. By using a specially-crafted OOXML file, a remote attacker could exploit this vulnerability to consume all available CPU resources.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/123699 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2017-1295**
DESCRIPTION:** IBM RSA DM contains undisclosed vulnerability in CLM Applications with potential for information leakage.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/125157 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2017-1363**
DESCRIPTION:** IBM Team Concert (RTC) is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/126856 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

Rational Collaborative Lifecycle Management 4.0 - 6.0.4

Rational Quality Manager 4.0 - 4.0.7
Rational Quality Manager 5.0 - 5.0.2
Rational Quality Manager 6.0 - 6.0.4

Rational Team Concert 4.0 - 4.0.7
Rational Team Concert 5.0 - 5.0.2
Rational Team Concert 6.0 - 6.0.4

Rational DOORS Next Generation 4.0.1 - 4.0.7
Rational DOORS Next Generation 5.0 - 5.0.2
Rational DOORS Next Generation 6.0 - 6.0.4

Rational Engineering Lifecycle Manager 4.0.3 - 4.0.7
Rational Engineering Lifecycle Manager 5.0 - 5.0.2
Rational Engineering Lifecycle Manager 6.0 - 6.0.4

Rational Rhapsody Design Manager 4.0 - 4.0.7
Rational Rhapsody Design Manager 5.0 - 5.0.2
Rational Rhapsody Design Manager 6.0 - 6.0.4

Rational Software Architect Design Manager 4.0 - 4.0.7
Rational Software Architect Design Manager 5.0 - 5.0.2
Rational Software Architect Design Manager 6.0 - 6.0.1

Remediation/Fixes

For the 6.0 - 6.0.4 releases

Upgrade to version 6.0.4 iFix4 or later
* Rational Collaborative Lifecycle Management 6.0.4 iFix4
* Rational Team Concert 6.0.4 iFix4
* Rational Quality Manager 6.0.4 iFix4
* Rational DOORS Next Generation 6.0.4 iFix4
* Rational Software Architect Design Manager:_ Upgrade to version 6.0.3 and install server from CLM 6.0.4 iFix4
* Rational Rhapsody Design Manager: Upgrade to version 6.0.3 and install server from CLM 6.0.4 iFix4
* Rational Engineering Lifecycle Manager: _Upgrade to version 6.0.3 and install server from CLM 6.0.4 iFix4

Or upgrade to version 6.0.2 iFix13 or later
* Rational Collaborative Lifecycle Management 6.0.2 iFix13
* Rational Team Concert 6.0.2 iFix13
* Rational Quality Manager 6.0.2 iFix13
* Rational DOORS Next Generation 6.0.2 iFix13
* Rational Software Architect Design Manager:_ Upgrade to version 6.0.2 and install server from CLM 6.0.2 iFix13
* Rational Rhapsody Design Manager: Upgrade to version 6.0.2 and install server from CLM 6.0.2 iFix13
* Rational Engineering Lifecycle Manager: _Upgrade to version 6.0.2 and install server from CLM 6.0.2 iFix13

For any prior versions of the products listed above, IBM recommends upgrading to a fixed, supported version/release/platform of the product.

If the iFix is not found in the Fix Portal please contact IBM Support.

Workarounds and Mitigations

None

Related

ibm 19
cve 6
ubuntucve 1
github 1
osv 2
cvelist 6
debiancve 1
prion 6
veracode 1
nvd 6
oracle 1
ibm
ibm
Security Bulletin: Apache POI as used in IBM QRadar SIEM is vulnerable to a denial of service. (CVE-2017-5644)
2018-06-16 22:04:35
Security Bulletin: A security vulnerability has been identified in IBM Cognos Business Intelligence shipped with IBM Business Monitor (CVE-2017-5644)
2018-06-15 07:08:22
Security Bulletin: Vulnerability in Apache POI affects IBM Maximo Asset Management (CVE-2017-5644)
2018-06-17 15:45:53
cve
cve
CVE-2017-5644
2017-03-24 14:59:00
CVE-2017-1363
2017-10-25 12:29:00
CVE-2017-1164
2017-10-25 12:29:00
ubuntucve
ubuntucve
CVE-2017-5644
2017-03-24 00:00:00
github
github
Improper Restriction of Recursive Entity References in DTDs in Apache POI
2022-05-13 01:14:24
osv
osv
Improper Restriction of Recursive Entity References in DTDs in Apache POI
2022-05-13 01:14:24
CVE-2017-5644
2017-03-24 14:59:00
cvelist
cvelist
CVE-2017-5644
2017-03-24 14:00:00
CVE-2017-1363
2017-10-25 12:00:00
CVE-2017-1295
2017-10-25 12:00:00
debiancve
debiancve
CVE-2017-5644
2017-03-24 14:59:00
prion
prion
Design/Logic Flaw
2017-03-24 14:59:00
Cross site scripting
2017-10-25 12:29:00
Cross site scripting
2017-10-25 12:29:00
veracode
veracode
Denial Of Service (DoS) Via XML External Expansion (XEE)
2017-03-22 01:45:07
nvd
nvd
CVE-2017-5644
2017-03-24 14:59:00
CVE-2017-1363
2017-10-25 12:29:00
CVE-2017-1164
2017-10-25 12:29:00
oracle
oracle
Oracle Critical Patch Update Advisory - October 2020
2020-10-20 00:00:00

EPSS

0.014

Percentile

86.3%

JSON
Related for 2675EB03B2C89E852796FB63153AA0928EDF72A186233EF534E0DBB8339ADAC0
ibm19cve6ubuntucve1github1osv2cvelist6debiancve1prion6veracode1nvd6oracle1