Security Bulletin: Command Injection Vulnerability in IBM® Rational® Quality Manager (CVE-2016-0326)

Summary

IBM® Rational® Quality Manager could allow an authenticated attacker to inject commands through a specially crafted HTML request that would be executed by the operating system with user privileges.

Vulnerability Details

CVEID: CVE-2016-0326**
DESCRIPTION:** IBM Rational Quality Manager could allow an authenticated attacker to inject commands through a specially crafted HTML request that would be executed by the operating system with user privileges.
CVSS Base Score: 6.3
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/111642 _for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

Rational Collaborative Lifecycle Management 4.0.0 - 6.0.1

Rational Quality Manager 6.0 - 6.0.1
Rational Quality Manager 5.0 - 5.0.2
Rational Quality Manager 4.0 - 4.0.7
Rational Quality Manager 3.0.1.6

Remediation/Fixes

For the 6.0.0 - 6.0.1 releases, upgrade to version 6.0.2 or 6.0.1 ifix3 or later

• Rational Collaborative Lifecycle Management 6.0.1 iFix3
• Rational Quality Manager 6.0.1 iFix3

For the 5.0 - 5.0.2 releases, upgrade to version 5.0.2 iFix17 or later

• Rational Collaborative Lifecycle Management 5.0.2 iFix17

• Rational Quality Manager 5.0.2 iFix17
  _
  _For the 4.0 - 4.0.7 releases, upgrade to version 4.0.7 iFix11 or later

• Rational Collaborative Lifecycle Management 4.0.7 iFix11

• Rational Quality Manager 4.0.7 iFix11

For the 3.x releases upgrade to version 3.0.1.6 iFix8 or later

• Rational Collaborative Lifecycle Management 3.0.1.6 iFix8
• Rational Quality Manager 3.0.1.6 iFix8

Workarounds and Mitigations

None