There is a clickjacking vulnerability in IBM WebSphere Application Server Liberty Admin Center bundled with IBM Jazz Team Server based Applications that affect the following products: Collaborative Lifecycle Management (CLM), Rational DOORS Next Generation (RDNG), Rational Engineering Lifecycle Manager (RELM), Rational Team Concert (RTC), Rational Quality Manager (RQM), Rational Rhapsody Design Manager (Rhapsody DM) and IBM Rhapsody Model Manager.
CVEID: CVE-2019-4285 DESCRIPTION: IBM WebSphere Application Server - Liberty Admin Center could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could send a specially-crafted HTTP request to hijack the victim’s click actions or launch other client-side browser attacks.
CVSS Base Score: 5.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/160513> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
Rational Collaborative Lifecycle Management 6.0 - 6.0.6.1
Rational Quality Manager 6.0 - 6.0.6.1
Rational Team Concert 6.0 - 6.0.6.1
Rational DOORS Next Generation 6.0 - 6.0.6.1
Rational Engineering Lifecycle Manager 6.0 - 6.0.6.1
Rational Rhapsody Design Manager 6.0 - 6.0.6.1
IBM Rhapsody Model Manager 6.0.5 - 6.0.6.1
The IBM Jazz Team Server based Applications bundle different versions of IBM WebSphere Application Server Liberty with the available versions of the products, and in addition to the bundled version some previous versions of WAS are also supported. Information about a security vulnerability affecting WAS Liberty has been published.
For CLM applications version 6.0 to 6.0.6.1 review the Security Bulletin below to determine if your WAS Liberty version is affected and the required remediation:
None