CVE-2020-4495 — Incorrect Authorization in IBM Engineering Lifecycle Optimization

CWE-863 — Incorrect Authorization4 documents4 sources

Severity

8.8HIGHNVD

EPSS

1.5%

top 18.77%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

IBM Engineering Lifecycle Optimization IBM Engineering Test Management IBM Rational Collaborative Lifecycle Management +9 more

Timeline

PublishedJun 2

Latest updateMay 24

Description

IBM Jazz Foundation and IBM Engineering products could allow a remote attacker to bypass security restrictions, caused by improper access control. By sending a specially-crafted request to the REST API, an attacker could exploit this vulnerability to bypass access restrictions, and execute arbitrary actions with administrative privileges. IBM X-Force ID: 182114.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages16 packages

▶CVEListV5ibm/engineering_test_management7.0.0, 7.0.1+1

▶NVDibm/engineering_test_management7.0.0, 7.0.1+1

▶NVDibm/engineering_lifecycle_management7.0, 7.0.1, 7.0.2+2

▶CVEListV5ibm/engineering_lifecycle_optimization7.0, 7.0.1, 7.0.2+2

▶CVEListV5ibm/rational_engineering_lifecycle_manager5 versions+4

Patches

Patch: www.ibm.com ↗Patch: www.ibm.com ↗

🔴Vulnerability Details

GHSA

GHSA-5wv5-m844-q857: IBM Jazz Foundation and IBM Engineering products could allow a remote attacker to bypass security restrictions, caused by improper access control↗2022-05-24

▶

CVEList

CVE-2020-4495: IBM Jazz Foundation and IBM Engineering products could allow a remote attacker to bypass security restrictions, caused by improper access control↗2021-06-02

▶

💬Community

Bugzilla

CVE-2019-7572 SDL: buffer over-read in IMA_ADPCM_nibble in audio/SDL_wave.c↗2019-02-13

▶