Security Bulletin: IBM Engineering Test Management is vulnerable to arbitrary data access due to XStream ( CVE-2020-26258, CVE-2020-26259 )

Summary

IBM Engineering Test Management is vulnerable to remote attacker having access to snesitive data or to arbitrary files from system due to XStream.

Vulnerability Details

CVEID:CVE-2020-26258
**DESCRIPTION:**XStream is vulnerable to server-side request forgery, caused by a flaw when unmarshalling. By manipulating the processed input stream, a remote attacker could exploit this vulnerability to obtain sensitive data.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/193525 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2020-26259
**DESCRIPTION:**XStream could allow a remote attacker to delete arbitrary files from the system, caused by improper input sanitization. By manipulating the processed input, an attacker could exploit this vulnerability to delete arbitrary files from the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/193524 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

Affected Products and Versions

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by upgrading to following IBM Engineering Test Management releases or any version later :

• IBM Engineering Test Management 7.0.2 iFix008
• IBM Engineering Test Management 7.0.1 iFix012
• IBM Engineering Test Management 7.0 iFix013
• Rational Quality Manager 6.0.6.1 iFix020
• Rational Quality Manager 6.0.6 iFix024

Workarounds and Mitigations

None.