Vulnerability CVE-2018-1694 - CERT Civis.Net

Vulnerability Name:

CVE-2018-1694 (CCN-145609)

Assigned:

2017-12-13

Published:

2018-11-02

Updated:

2020-08-24

Summary:

IBM Jazz applications (IBM Rational Collaborative Lifecycle Management 5.0 through 5.02 and 6.0 through 6.0.6, IBM Rational DOORS Next Generation 5.0 through 5.02 and 6.0 through 6.0.6, IBM Rational Engineering Lifecycle Manager 5.0 through 5.02 and 6.0 through 6.0.6, IBM Rational Quality Manager 5.0 through 5.02 and 6.0 through 6.0.6, IBM Rational Rhapsody Design Manager 5.0 through 5.02 and 6.0 through 6.0.6, IBM Rational Software Architect Design Manager 5.0 through 5.02 and 6.0 through 6.0.1, IBM Rational Team Concert 5.0 through 5.02 and 6.0 through 6.0.6) could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 145609.

CVSS v3 Severity:

5.9 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
5.2 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

5.9 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
5.2 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

5.4 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:C/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Athentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): None Availibility (A): None

Vulnerability Type:

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2018-1694

Source: CCN
Type: IBM Security Bulletin 738301 (Rational Collaborative Lifecycle Management)
Security vulnerabilities affect multiple IBM Rational products based on IBM Jazz technology

Source: CONFIRM
Type: Patch, Vendor Advisory
http://www.ibm.com/support/docview.wss?uid=ibm10738301

Source: XF
Type: Patch, VDB Entry, Vendor Advisory
ibm-jazz-cve20181694-info-disc(145609)

Source: XF
Type: UNKNOWN
ibm-jazz-cve20181694-info-disc(145609)

Vulnerable Configuration:

Configuration 1:

cpe:/a:ibm:rational_collaborative_lifecycle_management:*:*:*:*:*:*:*:* (Version >= 5.0.0 and <= 6.0.6)

OR cpe:/a:ibm:rational_doors_next_generation:*:*:*:*:*:*:*:* (Version >= 5.0.0 and <= 5.0.2)

OR cpe:/a:ibm:rational_doors_next_generation:*:*:*:*:*:*:*:* (Version >= 6.0.0 and <= 6.0.6)

OR cpe:/a:ibm:rational_engineering_lifecycle_manager:*:*:*:*:*:*:*:* (Version >= 5.0.0 and <= 5.0.2)

OR cpe:/a:ibm:rational_engineering_lifecycle_manager:*:*:*:*:*:*:*:* (Version >= 6.0.0 and <= 6.0.6)

OR cpe:/a:ibm:rational_quality_manager:*:*:*:*:*:*:*:* (Version >= 5.0.0 and <= 5.0.2)

OR cpe:/a:ibm:rational_quality_manager:*:*:*:*:*:*:*:* (Version >= 6.0.0 and <= 6.0.6)

OR cpe:/a:ibm:rational_rhapsody_design_manager:*:*:*:*:*:*:*:* (Version >= 5.0.0 and <= 5.0.2)

OR cpe:/a:ibm:rational_rhapsody_design_manager:*:*:*:*:*:*:*:* (Version >= 6.0.0 and <= 6.0.6)

OR cpe:/a:ibm:rational_software_architect_design_manager:*:*:*:*:*:*:*:* (Version >= 5.0.0 and <= 5.0.2)

OR cpe:/a:ibm:rational_software_architect_design_manager:*:*:*:*:*:*:*:* (Version >= 6.0.0 and <= 6.0.1)

OR cpe:/a:ibm:rational_team_concert:*:*:*:*:*:*:*:* (Version >= 5.0.0 and <= 5.0.2)

OR cpe:/a:ibm:rational_team_concert:*:*:*:*:*:*:*:* (Version >= 6.0.0 and <= 6.0.6)

Configuration CCN 1:

cpe:/a:ibm:rational_quality_manager:5.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_team_concert:5.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_engineering_lifecycle_manager:5.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_software_architect_design_manager:5.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_rhapsody_design_manager:5.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_collaborative_lifecycle_management:5.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_doors_next_generation:5.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_collaborative_lifecycle_management:6.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_team_concert:6.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_collaborative_lifecycle_management:6.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_doors_next_generation:6.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_doors_next_generation:6.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_collaborative_lifecycle_management:6.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_team_concert:6.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_doors_next_generation:6.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_team_concert:6.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_quality_manager:6.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_quality_manager:6.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_collaborative_lifecycle_management:6.0.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_rhapsody_design_manager:6.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_rhapsody_design_manager:6.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_rhapsody_design_manager:6.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_doors_next_generation:6.0.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_rhapsody_design_manager:6.0.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_software_architect_design_manager:6.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_software_architect_design_manager:6.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_quality_manager:6.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_quality_manager:6.0.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_engineering_lifecycle_manager:6.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_engineering_lifecycle_manager:6.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_engineering_lifecycle_manager:6.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_engineering_lifecycle_manager:6.0.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_engineering_lifecycle_manager:6.0.4:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_team_concert:6.0.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_collaborative_lifecycle_management:6.0.4:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_team_concert:6.0.4:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_doors_next_generation:6.0.4:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_collaborative_lifecycle_management:6.0.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_doors_next_generation:6.0.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_rhapsody_design_manager:6.0.4:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_engineering_lifecycle_manager:6.0.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_team_concert:6.0.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_quality_manager:6.0.4:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_quality_manager:6.0.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_rhapsody_design_manager:6.0.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_rhapsody_design_manager:6.0.6:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_engineering_lifecycle_manager:6.0.6:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_doors_next_generation:6.0.6:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_team_concert:6.0.6:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_quality_manager:6.0.6:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_collaborative_lifecycle_management:6.0.6:*:*:*:*:*:*:*

Denotes that component is vulnerable