Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM50B9A7C3ED87452F0E22FC60B6D409AA94C5470221013FB441AD828F88216C41
HistoryJul 07, 2022 - 6:37 a.m.

Security Bulletin: IBM Engineering Lifecycle Management is vulnerable(Server-Side Request Forgery vulnerability) when requesting resource over an API endpoint to verify URls from target application server.(CVE-2021-20421)

2022-07-0706:37:30
www.ibm.com
30
ibm
engineering lifecycle management
ssrf
vulnerability
api endpoint

CVSS2

4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

19.6%

JSON

Summary

Summary guidance: - There is Server-Side Request Forgery vulnerability when requesting resource over an API endpoint to verify URLs from target application server.

Vulnerability Details

CVEID:CVE-2021-20421
**DESCRIPTION:**IBM Jazz Foundation is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/196300 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
Jazz Team Server 6.0.6, 6.0.6.1, 7.0, 7.0.1, 7.0.2

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.

Product(s) **Version(s) number and/or range ** Remediation/Fix/Instructions
Jazz Team Server 6.0.6 Download and install iFix026 or later
Jazz Team Server 6.0.6.1 Download and install iFix025 or later
Jazz Team Server 7.0 Download and install iFix015 or later
Jazz Team Server 7.0.1 Download and install iFix017 or later
Jazz Team Server 7.0.2 Download and install iFix013 or later

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmibm_engineering_lifecycle_management_baseMatch7.0.1
OR
ibmibm_engineering_lifecycle_management_baseMatch7.0.2
VendorProductVersionCPE
ibmibm_engineering_lifecycle_management_base7.0.1cpe:2.3:a:ibm:ibm_engineering_lifecycle_management_base:7.0.1:*:*:*:*:*:*:*
ibmibm_engineering_lifecycle_management_base7.0.2cpe:2.3:a:ibm:ibm_engineering_lifecycle_management_base:7.0.2:*:*:*:*:*:*:*

Related

cvelist 1
nvd 1
prion 1
cve 1
cvelist
cvelist
CVE-2021-20421
2022-06-24 16:15:33
nvd
nvd
CVE-2021-20421
2022-06-24 17:15:07
prion
prion
Server side request forgery (ssrf)
2022-06-24 17:15:00
cve
cve
CVE-2021-20421
2022-06-24 17:15:07

CVSS2

4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

19.6%

JSON
Related for 50B9A7C3ED87452F0E22FC60B6D409AA94C5470221013FB441AD828F88216C41
cvelist1nvd1prion1cve1