CRITICAL🇵🇱 Wersja polska

CVE-2026-3660

CVSS 9.8v3.1pub. 2026-05-26upd. 2026-05-29

IBM Engineering Lifecycle Management 7.0.3, 7.1.0, and 7.2.0 could allow an unauthenticated remote attacker to update server property files that would allow them to gain unauthorized access to the application.

🤖 AI Analysis
How it works

The vulnerability stems from improper authorization (CWE-863), which means that access control mechanisms do not properly verify the requestor's identity before allowing write operations. An unauthenticated remote attacker can send network requests that modify server property files without needing any credentials. The modified configuration files can then allow the attacker to gain unauthorized access to the application, for example by changing authentication or authorization settings.

Impact

An attacker can gain unauthorized access to the IBM Engineering Lifecycle Management application, which threatens the confidentiality, integrity, and availability of system data and functions (CVSS C:H/I:H/A:H).

Mitigation & patch

Patches available from the vendor should be applied according to the references: https://www.ibm.com/support/pages/node/7274079

Who is affected

IBM Engineering Lifecycle Management in versions 7.0.3, 7.1.0, and 7.2.0.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • IBM Engineering Lifecycle Management

    APP
    Ibm
    7.0.37.1.07.2.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-4051HIGH7.2ten sam produkt

IBM Engineering Lifecycle Management 7.0.3, 7.1.0, and 7.2.0 could allow an attacker with administrative privi...

CVE-2026-3603HIGH7.1ten sam produkt

IBM Engineering Lifecycle Management 7.0.3 Interim Fix 001 through  Interim Fix 021, 7.1.0  Interim Fix 001 th...

CVE-2020-4495HIGH8.8ten sam produkt

IBM Jazz Foundation and IBM Engineering products could allow a remote attacker to bypass security restrictions...

CVE-2020-4965HIGH7.5ten sam produkt

IBM Jazz Team Server products use weaker than expected cryptographic algorithms that could allow an attacker t...

CVE-2021-20502HIGH7.1ten sam produkt

IBM Jazz Foundation Products are vulnerable to an XML External Entity Injection (XXE) attack when processing X...