IBM Jazz Reporting Service Application Suite uses Google Guava package which is vulnerable to CVE-2023-2976.
CVEID:CVE-2020-8908
**DESCRIPTION:**Guava could allow a remote authenticated attacker to bypass security restrictions, caused by a temp directory creation vulnerability in com.google.common.io.Files.createTempDir(). By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass access restrictions.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/192996 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)
Affected Product(s) | Version(s) |
---|---|
IBM Jazz Reporting Service | 7.0.2 |
IBM Jazz Reporting Service | 7.0.1 |
CVEID: CVE-2023-2976 Description: Google Guava could allow a local authenticated attacker to obtain sensitive information, caused by a flaw with using Java's default temporary directory for file creation in FileBackedOutputStream. By sending a specially crafted request, an attacker could exploit this vulnerability to access the files in the default Java temporary directory, and use this information to launch further attacks against the affected system.
CVSS Base Score: 5.5
Affected Versions: Various versions of Guava were affected, and the issue was addressed in Guava version 32.0.0 and later. **Resolution: **Released a iFix version for Jazz Reporting Service 7.0.2 iFix022: To ensure users could protect themselves from this vulnerability, the Guava 32.0.0 has been released in this ifix.
Product | Version | iFix | Remediation / First Fix |
---|---|---|---|
IBM Jazz Reporting Service | 7.0.2 | iFix022 | Fix Central - 7.0.2 |
None
CPE | Name | Operator | Version |
---|---|---|---|
ibm engineering lifecycle management base | eq | 7.0.2 |