Security Bulletin: IBM Engineering Lifecycle Management is vulnerable to induce the application to perform server-side HTTP and HTTPS requests to arbitrary domains.(CVE-2021-20544)

Summary

Summary guidance: External service interaction arises when it is possible to induce an application to interact with an arbitrary external service, such as a web or mail server. The ability to trigger arbitrary external service interactions does not constitute a vulnerability in its own right, and in some cases might even be the intended behaviour of the application. However, in many cases, it can indicate a vulnerability.

Vulnerability Details

CVEID:CVE-2021-20544
**DESCRIPTION:**IBM Jazz Foundation is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/198931 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)

Affected Products and Versions

Affected Products/Versions guidance:

Affected Product(s)|**Version(s)
**
—|—
Jazz Team Server| 6.0.6, 6.0.6.1, 7.0, 7.0.1, 7.0.2

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.

Workarounds and Mitigations

Workarounds/Mitigation guidance:

None