Lucene search

IBMBA1B70153B0EFBCB53711BF3683CE2AA161990BE06B6AA2DDFEAD0819A423D7E

HistoryApr 22, 2024 - 6:07 a.m.

Security Bulletin: The IBM® Engineering Lifecycle Engineering product using IBM WebSphere Application Server Liberty is vulnerable to cross-site scripting (CVE-2024-27270)

2024-04-2206:07:56

www.ibm.com

ibm

engineering lifecycle

cross-site scripting

websphere application server

liberty

vulnerability

servlet-6.0

23.0.0.3

24.0.0.3

interim fix

apar ph60149

security bulletin

CVSS3

4.7

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

AI Score

Confidence

High

EPSS

Percentile

9.0%

JSON

Summary

IBM WebSphere Application Server Liberty is vulnerable to cross-site scripting with the servlet-6.0 feature enabled. Following IBM® Engineering Lifecycle Engineering products are vulnerable to this attack, it has been addressed in this bulletin: Jazz Foundation, IBM Engineering Test Management, IBM Engineering Workflow Management, Global Configuration Management, IBM Engineering Requirements Management DOORS Next.

Vulnerability Details

Refer to the security bulletin(s) listed in the Remediation/Fixes section

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Engineering Workflow Management	7.0.2
Global Configuration Management
IBM Engineering Test Management
IBM Engineering Requirements Management DOORS Next
Jazz Foundation
IBM Engineering Workflow Management	7.0.3
Global Configuration Management
IBM Engineering Test Management
IBM Engineering Requirements Management DOORS Next
Jazz Foundation

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the APAR PH60149.

If any of the mentioned affected product is deployed on one of the above versions, Please follow the instruction given in the following article.

Link: <https://www.ibm.com/support/pages/node/7145231>

Affected features: servlet-6.0
Affected releases: This affects WebSphere Application Server Liberty versions 23.0.0.3 - 24.0.0.3

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmibm_engineering_lifecycle_management_baseMatch702

ibmibm_engineering_lifecycle_management_baseMatch703

VendorProductVersionCPE
ibmibm_engineering_lifecycle_management_base702cpe:2.3:a:ibm:ibm_engineering_lifecycle_management_base:702:*:*:*:*:*:*:*
ibmibm_engineering_lifecycle_management_base703cpe:2.3:a:ibm:ibm_engineering_lifecycle_management_base:703:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	ibm_engineering_lifecycle_management_base	702	cpe:2.3:a:ibm:ibm_engineering_lifecycle_management_base:702:::::::*
ibm	ibm_engineering_lifecycle_management_base	703	cpe:2.3:a:ibm:ibm_engineering_lifecycle_management_base:703:::::::*