IBM9E184B583C994A9861884C39F50DFEC871968677E38E68757180A0F2E43EB887Security Bulletin: Multiple vulnerabilites affect IBM Jazz Foundation and IBM Engineering products.
0.001 Low
EPSS
Percentile
29.0%
Summary
There are multiple vulnerabilities in IBM Jazz Team Server affecting the following IBM Jazz Team Server based Applications: Engineering Lifecycle Management (ELM), IBM Engineering Requirements Management DOORS Next (DOORS Next), IBM Engineering Lifecycle Optimization - Engineering Insights (ENI), IBM Engineering Workflow Management (EWM), IBM Engineering Systems Design Rhapsody - Design Manager (RDM), IBM Engineering Systems Design Rhapsody - Model Manager (RMM).
Vulnerability Details
CVEID:CVE-2020-4865
**DESCRIPTION:**IBM Engineering Workflow Management is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/190741 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
CVEID:CVE-2020-4547
**DESCRIPTION:**IBM Jazz Foundation could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim’s click actions and possibly launch further attacks against the victim.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/183315 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
CVEID:CVE-2020-4524
**DESCRIPTION:**IBM Jazz Foundation is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/182434 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
CVEID:CVE-2020-4855
**DESCRIPTION:**IBM Engineering Requirements Management DOORS Next is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/190457 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
CVEID:CVE-2021-20357
**DESCRIPTION:**IBM Global Configuration Management is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/194963 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| EWM | 7.0.2 |
| RTC | 6.0.2 |
| RTC | 6.0.6.1 |
| EWM | 7.0 |
| RTC | 6.0.6 |
| RDNG | 6.0.2 |
| DOORS Next | 7.0 |
| RDNG | 6.0.6.1 |
| RDNG | 6.0.6 |
| Rhapsody DM | 6.0.6 |
| Rhapsody DM | 6.0.6.1 |
| Rhapsody DM | 6.0.2 |
| RDM | 7.0 |
| RMM | 6.0.6.1 |
| RMM | 6.0.6 |
| RMM | 7.0 |
| RMM | 6.0.2 |
| CLM | 6.0.6.1 |
| CLM | 6.0.6 |
| ELM | 7.0 |
| CLM | 6.0.2 |
| RQM | 6.0.6.1 |
| RQM | 6.0.6 |
| ETM | 7.0.0 |
| RQM | 6.0.2 |
| RELM | 6.0.6.1 |
| RELM | 6.0.6 |
| ENI | 7.0 |
| RELM | 6.0.2 |
| Global Configuration Management | All |
Remediation/Fixes
For the 6.0 - 7.0.1 releases:
Upgrade to version 7.0.1 iFix005 or later
- IBM Engineering Lifecycle Management 7.0.1 iFix005
- IBM Engineering Requirements Management DOORS Next 7.0.1 iFix005
- IBM Engineering Test Management 7.0.1 iFix005
- IBM Engineering Workflow Management 7.0.1 iFix005
- IBM Engineering Lifecycle Optimization - Engineering Insights:_ _Upgrade to version 7.0.1 and install server from ELM 7.0.1 iFix005
- IBM Engineering Systems Design Rhapsody - Design Manager:_ _Upgrade to version 7.0.1 and install server from ELM 7.0.1 iFix005
- IBM Engineering Systems Design Rhapsody - Model Manager:_ _Upgrade to version 7.0.1 and install server from ELM 7.0.1 iFix005
Upgrade to version 7.0 iFix007 or later
- IBM Engineering Lifecycle Management 7.0 iFix007
- IBM Engineering Requirements Management DOORS Next 7.0 iFix007
- IBM Engineering Test Management 7.0 iFix007
- IBM Engineering Workflow Management 7.0 iFix007
- IBM Engineering Lifecycle Optimization - Engineering Insights:_ _Upgrade to version 7.0 and install server from ELM 7.0 iFix007
- IBM Engineering Systems Design Rhapsody - Design Manager:_ _Upgrade to version 7.0 and install server from ELM 7.0 iFix007
- IBM Engineering Systems Design Rhapsody - Model Manager:_ _Upgrade to version 7.0 and install server from ELM 7.0 iFix007
Upgrade to version 6.0.6.1 iFix011 or later
- Rational Collaborative Lifecycle Management 6.0.6.1 iFix011
- Rational DOORS Next Generation 6.0.6.1 iFix011
- Rational Quality Manager 6.0.6.1 iFix011
- Rational Team Concert 6.0.6.1 iFix011
- Rational Engineering Lifecycle Manager:_ _Upgrade to version 6.0.6.1 and install server from CLM 6.0.6.1 iFix011
- Rational Rhapsody Design Manager:_ _Upgrade to version 6.0.6.1 and install server from CLM 6.0.6.1 iFix011
- IBM Rhapsody Model Manager:_ _Upgrade to version 6.0.6.1 and install server from CLM 6.0.6.1 iFix011
- Rational Software Architect Design Manager:_ _Upgrade to version 6.0.6.1 and install server from CLM 6.0.6.1 iFix011
Upgrade to version 6.0.6 iFix017 or later
- Rational Collaborative Lifecycle Management 6.0.6 iFix017
- Rational DOORS Next Generation 6.0.6 iFix017
- Rational Quality Manager 6.0.6 iFix017
- Rational Team Concert 6.0.6 iFix017
- Rational Engineering Lifecycle Manager:_ _Upgrade to version 6.0.6 and install server from CLM 6.0.6 iFix017
- Rational Rhapsody Design Manager:_ _Upgrade to version 6.0.6 and install server from CLM 6.0.6 iFix017
- IBM Rhapsody Model Manager:_ _Upgrade to version 6.0.6 and install server from CLM 6.0.6 iFix017
- Rational Software Architect Design Manager:_ _Upgrade to version 6.0.6 and install server from CLM 6.0.6 iFix017
Upgrade to version 6.0.2 iFix025 or later
- Rational Collaborative Lifecycle Management 6.0.2 iFix025
- Rational Team Concert 6.0.2 iFix025
- Rational Quality Manager 6.0.2 iFix025
- Rational DOORS Next Generation 6.0.2 iFix025
- Rational Software Architect Design Manager:_ _Upgrade to version 6.0.2 and install server from CLM 6.0.2 iFix025
- Rational Rhapsody Design Manager:_ _Upgrade to version 6.0.2 and install server from CLM 6.0.2 iFix025
- Rational Engineering Lifecycle Manager:_ _Upgrade to version 6.0.2 and install server from CLM 6.0.2 iFix025
For any prior versions of the products listed above, IBM recommends upgrading to a fixed, supported version/release/platform of the product.
If the iFix is not found in the Fix Portal please contact IBM Support.
Workarounds and Mitigations
None
Related
0.001 Low
EPSS
Percentile
29.0%