IBM Rational ClearCase is affected by a cURL/libcURL CURLOPT_HTTPHEADER information disclosure vulnerability.
CVEID: CVE-2015-3153**
DESCRIPTION:** cURL/libcURL could allow a remote attacker to obtain sensitive information, caused by custom HTTP headers with sensitive content being sent to the server and intermediate proxy by the CURLOPT_HTTPHEADER option. An attacker could exploit this vulnerability to obtain authentication cookies or other sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/102989 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
The cURL component is used in the CMI integration, the OSLC-based ClearQuest integration, and in the automatic view client.
ClearCase client version
|
Status
—|—
8.0.1 through 8.0.1.8
|
Affected
8.0 through 8.0.0.15
|
Affected
7.1.2 through 7.1.2.18
|
Affected
7.1.0.x, 7.1.1.x (all versions and fix packs)
|
Not affected
The solution is to upgrade to a fix pack of ClearCase that has a fix in the cURL component.
Affected Versions
|
** Applying the fix**
—|—
8.0.1 through 8.0.1.8
| Install Rational ClearCase Fix Pack 9 (8.0.1.9) for 8.0.1
8.0 through 8.0.0.15
| Install Rational ClearCase Fix Pack 16 (8.0.0.16) for 8.0
7.1.2 through 7.1.2.18
| Customers on extended support contracts should install Rational ClearCase Fix Pack 19 (7.1.2.19) for 7.1.2
None