This bulletin describes a variety of minor security issues that have been found and fixed in WebSphere Service Registry and Repository version 7.5
CVE ID: CVE-2014-6153
DESCRIPTION: WSRR WEBUI ISSUES A COOKIE WHICH IS NOT DECLARED SSL ONLY.
CVSS
CVSS Base Score: 2.6
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/97622> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)
CVE ID: CVE-2014-6132
DESCRIPTION: DOM BASED CROSS-SITE SCRIPTING VULNERABILITY IN WSRR WEB UI
CVSS
CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/96812 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CVE ID: CVE-2014-6155
DESCRIPTION: PATH TRAVERSAL VULNERABILITIES IN SERVICEREGISTRY UI
CVSS
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97678 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CVE ID: CVE-2014-6177
DESCRIPTION: ACCESS CONTROL IS NOT CHECKED WHEN A RETRIEVE TO DEPTH 0 IS PERFORMED.
CVSS
CVSS Base Score: 4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/98492> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CVE ID: CVE-2014-6179
DESCRIPTION: IBM AppScan detected that a DOM base XSS vulnerability exists in the WSRR Web UI.
CVSS
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/98516> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVE ID: CVE-2014-6178
DESCRIPTION: SCRIPT INJECTION POSSIBLE IN WSRR WIDGETS.
CVSS
CVSS Base Score: 3.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/98514> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CVE ID: CVE-2014-6180
DESCRIPTION: USER AGENT HTML INJECTION VULNERABILITY IN WSRR WEB UI.
CVSS
CVSS Base Score: 3.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/98515> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CVE ID: CVE-2014-6187
DESCRIPTION: XSRF ISSUES FLAGGED BY RATIONAL APPSCAN
CVSS
CVSS Base Score: 3.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/98553> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CVE ID: CVE-2014-6188
DESCRIPTION: XSS ISSUES FLAGGED BY RATIONAL APPSCAN
CVSS
CVSS Base Score: 3.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/98554> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CVE ID: CVE-2014-6186
DESCRIPTION: OBJECTS NOT ACCESSIBLE DUE TO ACCESS CONTROL RESTRICTIONS CAN STILL APPEAR IN DATAGRAPH
CVSS
CVSS Base Score: 3.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/98549> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:N/A:N)
WSRR 7.5
CVE
| APAR|Remediation/First Fix
—|—|—
CVE-2014-6153| IV64010| Contact WSRR Support.
CVE-2014-6132| IV64000| Contact WSRR Support.
CVE-2014-6155| IV63585| Contact WSRR Support.
CVE-2014-6177| IV24386| Install WSRR Fix Pack 7.5.0.3 or above
CVE-2014-6179| IV51859| Install WSRR Fix Pack 7.5.0.4
CVE-2014-6178| IV51765| Install WSRR Fix Pack 7.5.0.4
CVE-2014-6180| IV01657| Install WSRR Fix Pack 7.5.0.1 or above
CVE-2014-6187| IV26727| Install WSRR Fix Pack 7.5.0.3 or above
CVE-2014-6188| IV26727| Install WSRR Fix Pack 7.5.0.3 or above
CVE-2014-6186| IV26309| Install WSRR Fix Pack 7.5.0.3 or above