SB2017073121 - Multiple vulnerabilities in IBM Jazz Reporting Service
Published: July 31, 2017 Updated: August 8, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Information disclosure (CVE-ID: CVE-2017-1340)
The vulnerability allows a remote authenticated user to gain access to sensitive information.
IBM Jazz Reporting Service (JRS) 6.0.4 could allow an authenticated user to obtain information on another server that the current report builder interacts with. IBM X-Force ID: 126455.
2) Information disclosure (CVE-ID: CVE-2017-1490)
The vulnerability allows a remote authenticated user to gain access to sensitive information.
An unspecified vulnerability in the Lifecycle Query Engine of Jazz Reporting Service 6.0 through 6.0.4 could disclose highly sensitive information.
3) Information Exposure Through an Error Message (CVE-ID: CVE-2017-1370)
The vulnerability allows a remote privileged user to gain access to sensitive information.
IBM Jazz Reporting Service (JRS) 5.0 and 6.0 could disclose sensitive information, including user credentials, through an error message from the Report Builder administrator configuration page. IBM X-Force ID: 126863.
Remediation
Install update from vendor's website.
References
- http://www.ibm.com/support/docview.wss?uid=swg22009973
- http://www.securityfocus.com/bid/101880
- https://exchange.xforce.ibmcloud.com/vulnerabilities/126455
- http://www.ibm.com/support/docview.wss?uid=swg22008253
- http://www.securityfocus.com/bid/100835
- https://exchange.xforce.ibmcloud.com/vulnerabilities/128688
- http://www.ibm.com/support/docview.wss?uid=swg22005868
- http://www.securityfocus.com/bid/99954
- https://exchange.xforce.ibmcloud.com/vulnerabilities/126863