Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM3AB8A0D8DF3E8947F6AADDC12247EF1D5E01D8D9D6A259B65657D804679CB6E0
HistoryJul 13, 2022 - 8:13 a.m.

Security Bulletin: IBM Engineering Lifecycle Optimization - Publishing is vulnerable to Malicious File Upload (CVE-2021-39017)

2022-07-1308:13:10
www.ibm.com
28
ibm engineering lifecycle optimization
publishing
file upload
vulnerability
cve-2021-39017
malicious file
security bulletin
ifix
upgrade
rpe 6.0.6
rpe 6.0.6.1

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

35.5%

JSON

Summary

In IBM Engineering Lifecycle Optimization - Publishing, there are no file extension and content-type checks in place which helps an attacker to upload a malicious file of their choice. (CVE-2021-39017)

Vulnerability Details

CVEID:CVE-2021-39017
**DESCRIPTION:**IBM Engineering Lifecycle Optimization - Publishing could allow a remote attacker to upload arbitrary files, caused by improper access controls.
CVSS Base score: 5.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/213725 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
PUB 7.0.1
PUB 7.0.2
RPE 6.0.6
RPE 6.0.6.1
PUB 7.0

Remediation/Fixes

For IBM Publishing 7.0, upgrade to ifix016 or later, which can be downloaded from:
IBM Publishing 7.0 iFix016

For IBM Publishing 7.0.1, upgrade to ifix017 or later, which can be downloaded from:
IBM Publishing 7.0.1 iFix017

For IBM Publishing 7.0.2, upgrade to ifix013 or later, which can be downloaded from:
IBM Publishing 7.0.2 iFix013

For RPE 6.0.6 and 6.0.6.1, upgrade to latest 7.0.2 iFix13 or later, which can be downloaded from: IBM Publishing 7.0.2 iFix013

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmengineering_lifecycle_optimization_-_publishingMatch6.0.6
OR
ibmengineering_lifecycle_optimization_-_publishingMatch6.0.6.1
OR
ibmengineering_lifecycle_optimization_-_publishingMatch7.0
OR
ibmengineering_lifecycle_optimization_-_publishingMatch7.0.1
OR
ibmengineering_lifecycle_optimization_-_publishingMatch7.0.2
VendorProductVersionCPE
ibmengineering_lifecycle_optimization_-_publishing6.0.6cpe:2.3:a:ibm:engineering_lifecycle_optimization_-_publishing:6.0.6:*:*:*:*:*:*:*
ibmengineering_lifecycle_optimization_-_publishing6.0.6.1cpe:2.3:a:ibm:engineering_lifecycle_optimization_-_publishing:6.0.6.1:*:*:*:*:*:*:*
ibmengineering_lifecycle_optimization_-_publishing7.0cpe:2.3:a:ibm:engineering_lifecycle_optimization_-_publishing:7.0:*:*:*:*:*:*:*
ibmengineering_lifecycle_optimization_-_publishing7.0.1cpe:2.3:a:ibm:engineering_lifecycle_optimization_-_publishing:7.0.1:*:*:*:*:*:*:*
ibmengineering_lifecycle_optimization_-_publishing7.0.2cpe:2.3:a:ibm:engineering_lifecycle_optimization_-_publishing:7.0.2:*:*:*:*:*:*:*

Related

nvd 1
cve 1
prion 1
cvelist 1
nvd
nvd
CVE-2021-39017
2022-07-14 17:15:08
cve
cve
CVE-2021-39017
2022-07-14 17:15:08
prion
prion
Improper access control
2022-07-14 17:15:00
cvelist
cvelist
CVE-2021-39017
2022-07-14 16:15:36

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

35.5%

JSON
Related for 3AB8A0D8DF3E8947F6AADDC12247EF1D5E01D8D9D6A259B65657D804679CB6E0
nvd1cve1prion1cvelist1