IBM Engineering Lifecycle Management 7.0.3, 7.1.0 and 7.2.0 contain an XML external entity injection (XXE) flaw that activates when the system processes XML data. An authenticated attacker can craft a malicious XML document that references internal files or external resources; the server will fetch and return the data, exposing sensitive information such as configuration files or credentials. The injection also consumes memory resources, potentially causing degraded performance or denial of service.

Affected are IBM Engineering Lifecycle Management – Jazz Foundation versions 7.0.3, 7.1.0, and 7.2.0. The vulnerability exists in the base releases of these versions until the relevant iFix updates – iFix022 for 7.0.3, iFix010 for 7.1.0, and iFix002 for 7.2.0 – are applied. Any deployment running those specific versions without the corresponding iFix remains vulnerable.

The CVSS score of 7.1 places the vulnerability in the high severity range, highlighting its potential impact on confidentiality and availability. EPSS score of <1% indicates a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the updated description, it is inferred that the attack requires an authenticated session: the attacker must have valid credentials to submit the malicious XML payload, after which the server processes it. If unmitigated, an adversary could read protected files or exhaust system memory, potentially disrupting services.