IBM Support

Security Bulletin: IBM Engineering Lifecycle Management is vulnerable to Cross-site Scripting (XSS) vulnerability (CVE-2021-39043)

Security Bulletin


Summary

Summary guidance: The Jazz Team Server is vulnerable to cross-site scripting.

Vulnerability Details

CVEID:   CVE-2021-39043
DESCRIPTION:   IBM Jazz Foundation is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base score: 6.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/214032 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N)

Affected Products and Versions

Affected Products/Versions guidance:

Affected Product(s)Version(s)
Jazz Team Server6.0.6, 6.0.6.1, 7.0, 7.0.1, 7.0.2

 


Remediation/Fixes

Remediation/Fixes guidance:

NA

  

Workarounds and Mitigations

Workarounds/Mitigation guidance:

Product(s)Version(s) number and/or range Remediation/Fix/Instructions
Jazz Team Server6.0.6, 6.0.6.1, 7.0, 7.0.1, 7.0.2

Steps:

Steps to disable external content widget:

1) On the dashboard screen of the application, the administrator can see the viewlet ID in the widget catalog (Add Widget button on a dashboard) for external content viewlet ID is com.ibm.team.dashboard.viewlets.web.external

2) There is an advanced property, Disabled Widgets. This exists for each application (/jts/admin) that is accessible to the administrator.  This is a comma-separated list of viewlet IDs so in order to disable external content administrator will have to add viewlet ID in this field. Note: The viewlet ID must be listed in the advanced property for the application that owns the viewlet here it is JTS.

3) If a viewlet ID is in the advanced property, it will no longer be listed in the Add Widget interface for all users.

4) If a viewlet ID is in the advanced property, any pre-existing instances of the viewlet in dashboards will show the message "This widget has been disabled by the administrator".

 

 

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Off

Reference guidance:

NA

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

The vulnerability was reported to IBM by

Change History

19 May 2022: Initial Publication

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them.

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSPRJQ","label":"IBM Engineering Lifecycle Management Base"},"Component":"","Platform":[{"code":"PF033","label":"Windows"},{"code":"PF016","label":"Linux"}],"Version":"6.0.6, 6.0.6.1, 7.0, 7.0.1, 7.0.2","Edition":"","Line of Business":{"code":"LOB02","label":"AI Applications"}}]

Document Information

Modified date:
19 May 2022

UID

ibm16587797

Page Feedback