“Local Access Only” authentication type does not prevent unauthenticated remote access to Help Server Administration.
| Subscribe to My Notifications to be notified of important product support alerts like this.
CVE ID: CVE-2014-3106
**Description:**IBM Rational ClearQuest allows a remote unauthenticated attacker bypass security restrictions set by the “Local Access Only” ACL. ClearQuest introduced a new Help system since 7.1.2.02 in 2011, but the “Local Access Only” authentication type doesn’t work. This would allow the attacker to view files they might not otherwise have access to.
CVSS Base Score: 5.0 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/94313> for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
ClearQuest version
| Status
—|—
8.0.1 through 8.0.1.4| Affected
8.0 through 8.0.0.11| Affected
7.1.2 through 7.1.2.14| Affected
7.1.0.x, 7.1.1.x (all versions and fix packs)| Not Affected
Upgrade to one of the following releases:
Affected Versions | Applying the fix |
---|---|
8.0.1.x | Install Rational ClearQuest Fix Pack 5 (8.0.1.5) for 8.0.1 |
8.0.0.x | Install Rational ClearQuest Fix Pack 12 (8.0.0.12) for 8.0 |
7.1.2.x | Install Rational ClearQuest Fix Pack 15 (7.1.2.15) for 7.1.2 |
None