Security Bulletin: IBM Jazz for Service Management is vulnerable to HTTP header injection, caused by incorrect trust in the HTTP Host header (CVE-2019-4186)

Summary

IBM Jazz for Service Management is vulnerable to HTTP header injection, caused by incorrect trust in the HTTP Host header.

Vulnerability Details

CVEID: CVE-2019-4186 DESCRIPTION: IBM Jazz for Service Management is vulnerable to HTTP header injection, caused by incorrect trust in the HTTP Host header during caching. By sending a specially crafted HTTP GET request, a remote attacker could exploit this vulnerability to inject arbitrary HTTP headers, which will allow the attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/158976&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

Jazz for Service Management version 1.1.3

Remediation/Fixes

1. Install 1.1.2.1-TIV-JazzSM-DASH-Cumulative-Patch-0006

2. Install 1.1.3-Tivoli-JazzSM-DASH-CP6-multi-IF0002

Workarounds and Mitigations

Please refer Read-me available as part of 1.1.3-Tivoli-JazzSM-DASH-CP6-multi-IF0002