Lucene search

IBMCB802F2B63EF3BD16E36B6181EBF556364E262973209AC337C50BFC167164C7E

HistoryJul 06, 2022 - 6:28 p.m.

Security Bulletin: IBM Engineering Lifecycle Management is vulnerable to Cross-site Scripting (XSS). (CVE-2021-39059)

2022-07-0618:28:40

www.ibm.com

ibm

engineering lifecycle management

cross-site scripting

cve-2021-39059

jazz team server

vulnerability

ifix026

ifix025

ifix015

ifix017

ifix013

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

19.6%

JSON

Summary

Summary guidance: - The Jazz Team Server is vulnerable to cross-site scripting.

Vulnerability Details

CVEID:CVE-2021-39059
**DESCRIPTION:**IBM Jazz Foundation is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/214619 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

Affected Products/Versions guidance:

Affected Product(s)|**Version(s)
**
—|—
Jazz Team Server| 6.0.6, 6.0.6.1, 7.0, 7.0.1, 7.0.2

Remediation/Fixes

Remediation/Fixes guidance:

IBM strongly recommends addressing the vulnerability now.

Product(s)	Version(s) number and/or range	Remediation/Fix/Instructions
Jazz Team Server	6.0.6	Download and install iFix026 or later
Jazz Team Server	6.0.6.1	Download and install iFix025 or later
Jazz Team Server	7.0	Download and install iFix015 or later
Jazz Team Server	7.0.1	Download and install iFix017 or later
Jazz Team Server	7.0.2	Download and install iFix013 or later

Workarounds and Mitigations

Workarounds/Mitigation guidance:

None

Affected configurations

Vulners

Node

ibmibm_engineering_lifecycle_management_baseMatch6.0.6

ibmibm_engineering_lifecycle_management_baseMatch6.0.6.1

ibmibm_engineering_lifecycle_management_baseMatch7.0

ibmibm_engineering_lifecycle_management_baseMatch7.0.1

ibmibm_engineering_lifecycle_management_baseMatch7.0.2

VendorProductVersionCPE
ibmibm_engineering_lifecycle_management_base6.0.6cpe:2.3:a:ibm:ibm_engineering_lifecycle_management_base:6.0.6:*:*:*:*:*:*:*
ibmibm_engineering_lifecycle_management_base6.0.6.1cpe:2.3:a:ibm:ibm_engineering_lifecycle_management_base:6.0.6.1:*:*:*:*:*:*:*
ibmibm_engineering_lifecycle_management_base7.0cpe:2.3:a:ibm:ibm_engineering_lifecycle_management_base:7.0:*:*:*:*:*:*:*
ibmibm_engineering_lifecycle_management_base7.0.1cpe:2.3:a:ibm:ibm_engineering_lifecycle_management_base:7.0.1:*:*:*:*:*:*:*
ibmibm_engineering_lifecycle_management_base7.0.2cpe:2.3:a:ibm:ibm_engineering_lifecycle_management_base:7.0.2:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	ibm_engineering_lifecycle_management_base	6.0.6	cpe:2.3:a:ibm:ibm_engineering_lifecycle_management_base:6.0.6:::::::*
ibm	ibm_engineering_lifecycle_management_base	6.0.6.1	cpe:2.3:a:ibm:ibm_engineering_lifecycle_management_base:6.0.6.1:::::::*
ibm	ibm_engineering_lifecycle_management_base	7.0	cpe:2.3:a:ibm:ibm_engineering_lifecycle_management_base:7.0:::::::*
ibm	ibm_engineering_lifecycle_management_base	7.0.1	cpe:2.3:a:ibm:ibm_engineering_lifecycle_management_base:7.0.1:::::::*
ibm	ibm_engineering_lifecycle_management_base	7.0.2	cpe:2.3:a:ibm:ibm_engineering_lifecycle_management_base:7.0.2:::::::*

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

19.6%

JSON

Related for CB802F2B63EF3BD16E36B6181EBF556364E262973209AC337C50BFC167164C7E