Lucene search

IBM4290A9CEC7C3DDDE39EFBB892CF84A38FB245E4067C651C8562571A66905D43C

HistoryJul 13, 2022 - 9:04 a.m.

Security Bulletin: IBM Engineering Lifecycle Optimization - Publishing is vulnerable to disclose highly sensitive information (CVE-2021-39019)

2022-07-1309:04:30

www.ibm.com

ibm engineering lifecycle optimization

publishing

vulnerability

highly sensitive information

disclosure

http get request

authenticated user

cve-2021-39019

cvss score

affected products

remediation

upgrade

ibm publishing 7.0

ifix016

ifix017

ifix013

rpe 6.0.6

ifix13

software

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

23.7%

JSON

Summary

IBM Engineering Lifecycle Optimization - Publishing Document Builder uses the POST method to submit passwords but can be forced to use the GET method also. Highly sensitive information can be disclosed through an HTTP GET request to an authenticated user(CVE-2021-39019)

Vulnerability Details

CVEID:CVE-2021-39019
**DESCRIPTION:**IBM Engineering Lifecycle Optimization - Publishing could disclose highly sensitive information through an HTTP GET request to an authenticated user.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/213728 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
PUB	7.0.1
PUB	7.0.2
RPE	6.0.6
RPE	6.0.6.1
PUB	7.0

Remediation/Fixes

For IBM Publishing 7.0, upgrade to ifix016 or later, which can be downloaded from:
IBM Publishing 7.0 iFix016

For IBM Publishing 7.0.1, upgrade to ifix017 or later, which can be downloaded from:
IBM Publishing 7.0.1 iFix017

For IBM Publishing 7.0.2, upgrade to ifix013 or later, which can be downloaded from:
IBM Publishing 7.0.2 iFix013

For RPE 6.0.6 and 6.0.6.1, upgrade to latest 7.0.2 iFix13 or later, which can be downloaded from IBM Publishing 7.0.2 iFix013

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmengineering_lifecycle_optimization_-_publishingMatch6.0.6

ibmengineering_lifecycle_optimization_-_publishingMatch6.0.6.1

ibmengineering_lifecycle_optimization_-_publishingMatch7.0

ibmengineering_lifecycle_optimization_-_publishingMatch7.0.1

ibmengineering_lifecycle_optimization_-_publishingMatch7.0.2

VendorProductVersionCPE
ibmengineering_lifecycle_optimization_-_publishing6.0.6cpe:2.3:a:ibm:engineering_lifecycle_optimization_-_publishing:6.0.6:*:*:*:*:*:*:*
ibmengineering_lifecycle_optimization_-_publishing6.0.6.1cpe:2.3:a:ibm:engineering_lifecycle_optimization_-_publishing:6.0.6.1:*:*:*:*:*:*:*
ibmengineering_lifecycle_optimization_-_publishing7.0cpe:2.3:a:ibm:engineering_lifecycle_optimization_-_publishing:7.0:*:*:*:*:*:*:*
ibmengineering_lifecycle_optimization_-_publishing7.0.1cpe:2.3:a:ibm:engineering_lifecycle_optimization_-_publishing:7.0.1:*:*:*:*:*:*:*
ibmengineering_lifecycle_optimization_-_publishing7.0.2cpe:2.3:a:ibm:engineering_lifecycle_optimization_-_publishing:7.0.2:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	engineering_lifecycle_optimization_-_publishing	6.0.6	cpe:2.3:a:ibm:engineering_lifecycle_optimization_-_publishing:6.0.6:::::::*
ibm	engineering_lifecycle_optimization_-_publishing	6.0.6.1	cpe:2.3:a:ibm:engineering_lifecycle_optimization_-_publishing:6.0.6.1:::::::*
ibm	engineering_lifecycle_optimization_-_publishing	7.0	cpe:2.3:a:ibm:engineering_lifecycle_optimization_-_publishing:7.0:::::::*
ibm	engineering_lifecycle_optimization_-_publishing	7.0.1	cpe:2.3:a:ibm:engineering_lifecycle_optimization_-_publishing:7.0.1:::::::*
ibm	engineering_lifecycle_optimization_-_publishing	7.0.2	cpe:2.3:a:ibm:engineering_lifecycle_optimization_-_publishing:7.0.2:::::::*