IBM Jazz for Service Management is vulnerable to HTTP header injection, caused by incorrect trust in the HTTP Host header.
CVEID: CVE-2019-4186 DESCRIPTION: IBM Jazz for Service Management is vulnerable to HTTP header injection, caused by incorrect trust in the HTTP Host header during caching. By sending a specially crafted HTTP GET request, a remote attacker could exploit this vulnerability to inject arbitrary HTTP headers, which will allow the attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/158976> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Jazz for Service Management version 1.1.3
Affected JazzSM Version | Recommended Fix. |
---|---|
Jazz for Service Management version 1.1.3 |
1. Install 1.1.2.1-TIV-JazzSM-DASH-Cumulative-Patch-0006
2. Install 1.1.3-Tivoli-JazzSM-DASH-CP6-multi-IF0002
Please refer Read-me available as part of 1.1.3-Tivoli-JazzSM-DASH-CP6-multi-IF0002
CPE | Name | Operator | Version |
---|---|---|---|
jazz for service management | eq | 1.1.3 |