CVE-2015-0112

Name of the Vulnerable Software and Affected Versions Jazz Team Server in Jazz Foundation in IBM Rational Collaborative Lifecycle Management (CLM) versions 3.0.1, 4.x through 4.0.6, and 5.x through 5.0.1 Rational Quality Manager (RQM) versions 2.0 through 2.0.1, 3.0 through 3.0.1.6, 4.0 through 4.0.6, and 5.0 through 5.0.1 Rational Team Concert (RTC) versions 2.0 through 2.0.0.2, 3.x through 3.0.1.5, 4.x through 4.0.6, and 5.x through 5.0.1 Rational Requirements Composer (RRC) versions 2.0 through 2.0.0.4, 3.x through 3.0.1.5, and 4.0 through 4.0.6 Rational DOORS Next Generation (RDNG) versions 4.x through 4.0.6 and 5.x through 5.0.1 Rational Engineering Lifecycle Manager (RELM) versions 1.0 through 1.0.0.1, 4.0.3 through 4.0.6, and 5.0 through 5.0.1 Rational Rhapsody Design Manager (DM) versions 3.0 through 3.0.1, 4.0 through 4.0.6, and 5.0 through 5.0.1 Rational Software Architect Design Manager (RSA DM) versions 3.0 through 3.0.1, 4.0 through 4.0.6, and 5.0 through 5.0.1

Description The issue allows remote authenticated users to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. This occurs due to the improper handling of XML external entities, enabling attackers to access sensitive files on the system.

Recommendations For Jazz Team Server in Jazz Foundation in IBM Rational Collaborative Lifecycle Management (CLM) versions 3.0.1, 4.x through 4.0.6, and 5.x through 5.0.1, update to version 4.0.7 IF5 or 5.0.2 IF4 or later. For Rational Quality Manager (RQM) versions 2.0 through 2.0.1, 3.0 through 3.0.1.6, 4.0 through 4.0.6, and 5.0 through 5.0.1, update to version 4.0.7 or 5.0.2 or later. For Rational Team Concert (RTC) versions 2.0 through 2.0.0.2, 3.x through 3.0.1.5, 4.x through 4.0.6, and 5.x through 5.0.1, update to version 3.0.1.6 IF6, 4.0.7 IF5, or 5.0.2 IF4 or later. For Rational Requirements Composer (RRC) versions 2.0 through 2.0.0.4, 3.x through 3.0.1.5, and 4.0 through 4.0.6, update to version 3.0.1.6 IF6 or 4.0.7 or later. For Rational DOORS Next Generation (RDNG) versions 4.x through 4.0.6 and 5.x through 5.0.1, update to version 4.0.7 IF5 or 5.0.2 IF4 or later. For Rational Engineering Lifecycle Manager (RELM) versions 1.0 through 1.0.0.1, 4.0.3 through 4.0.6, and 5.0 through 5.0.1, update to version 4.0.7 or 5.0.2 or later. For Rational Rhapsody Design Manager (DM) versions 3.0 through 3.0.1, 4.0 through 4.0.6, and 5.0 through 5.0.1, update to version 4.0.7 or 5.0.2 or later. For Rational Software Architect Design Manager (RSA DM) versions 3.0 through 3.0.1, 4.0 through 4.0.6, and 5.0 through 5.0.1, update to version 4.0.7 or 5.0.2 or later.