Multiple vulnerabilities in IBM Jazz Reporting Service
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2017-1340 CVE-2017-1490 CVE-2017-1370 |
| CWE-ID | CWE-200 CWE-209 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Jazz Reporting Service Client/Desktop applications / Other client software |
| Vendor | IBM Corporation |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Information disclosure
EUVDB-ID: #VU37990
Risk: Medium
CVSSv3.1: 4.4 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-1340
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to gain access to sensitive information.
IBM Jazz Reporting Service (JRS) 6.0.4 could allow an authenticated user to obtain information on another server that the current report builder interacts with. IBM X-Force ID: 126455.
MitigationInstall update from vendor's website.
Vulnerable software versionsJazz Reporting Service: 6.0.4
External linkshttp://www.ibm.com/support/docview.wss?uid=swg22009973
http://www.securityfocus.com/bid/101880
http://exchange.xforce.ibmcloud.com/vulnerabilities/126455
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Information disclosure
EUVDB-ID: #VU38288
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-1490
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to gain access to sensitive information.
An unspecified vulnerability in the Lifecycle Query Engine of Jazz Reporting Service 6.0 through 6.0.4 could disclose highly sensitive information.
MitigationInstall update from vendor's website.
Vulnerable software versionsJazz Reporting Service: 6.0 - 6.0.4
External linkshttp://www.ibm.com/support/docview.wss?uid=swg22008253
http://www.securityfocus.com/bid/100835
http://exchange.xforce.ibmcloud.com/vulnerabilities/128688
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Information Exposure Through an Error Message
EUVDB-ID: #VU38621
Risk: Medium
CVSSv3.1: 4.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-1370
CWE-ID:
CWE-209 - Information Exposure Through an Error Message
Exploit availability: No
DescriptionThe vulnerability allows a remote privileged user to gain access to sensitive information.
IBM Jazz Reporting Service (JRS) 5.0 and 6.0 could disclose sensitive information, including user credentials, through an error message from the Report Builder administrator configuration page. IBM X-Force ID: 126863.
MitigationInstall update from vendor's website.
Vulnerable software versionsJazz Reporting Service: 5.0 - 6.0.4
External linkshttp://www.ibm.com/support/docview.wss?uid=swg22005868
http://www.securityfocus.com/bid/99954
http://exchange.xforce.ibmcloud.com/vulnerabilities/126863
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
