IBM Engineering Lifecycle Management 7.0.3, 7.1.0, and 7.2.0 could allow an unauthenticated remote attacker to update server property files that would allow them to gain unauthorized access to the application.
The vulnerability stems from improper authorization (CWE-863), which means that access control mechanisms do not properly verify the requestor's identity before allowing write operations. An unauthenticated remote attacker can send network requests that modify server property files without needing any credentials. The modified configuration files can then allow the attacker to gain unauthorized access to the application, for example by changing authentication or authorization settings.
An attacker can gain unauthorized access to the IBM Engineering Lifecycle Management application, which threatens the confidentiality, integrity, and availability of system data and functions (CVSS C:H/I:H/A:H).
Patches available from the vendor should be applied according to the references: https://www.ibm.com/support/pages/node/7274079
IBM Engineering Lifecycle Management in versions 7.0.3, 7.1.0, and 7.2.0.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HIBM Engineering Lifecycle Management
APPIbm7.0.37.1.07.2.0
Related vulnerabilities
IBM Engineering Lifecycle Management 7.0.3, 7.1.0, and 7.2.0 could allow an attacker with administrative privi...
IBM Engineering Lifecycle Management 7.0.3 Interim Fix 001 through Interim Fix 021, 7.1.0 Interim Fix 001 th...
IBM Jazz Foundation and IBM Engineering products could allow a remote attacker to bypass security restrictions...
IBM Jazz Team Server products use weaker than expected cryptographic algorithms that could allow an attacker t...
IBM Jazz Foundation Products are vulnerable to an XML External Entity Injection (XXE) attack when processing X...