Description
IBM Engineering Lifecycle Management 7.0.3, 7.1.0, and 7.2.0 could allow an unauthenticated remote attacker to update server property files that would allow them to gain unauthorized access to the application.
Published: 2026-05-26
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

IBM Engineering Lifecycle Management 7.0.3, 7.1.0, and 7.2.0 could allow an unauthenticated remote attacker to update server property files that would allow them to gain unauthorized access to the application. This vulnerability directly undermines authentication controls and permits elevation of privileges, exposing the application to potential data theft, tampering, and service disruption. The weakness is a clear instance of Authentication Bypass as identified by CWE‑863.

Affected Systems

IBM Engineering Lifecycle Management – Jazz Foundation versions 7.0.3, 7.1.0, and 7.2.0 are affected. For 7.0.3 the applicable fix is iFix022, for 7.1.0 it is iFix010, and for 7.2.0 it is iFix002.

Risk and Exploitability

The CVSS score of 9.8 reflects a high severity level. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be remote, as the description states an unauthenticated remote attacker can trigger the flaw. Exploitation requires network connectivity to the Jazz Foundation server and the ability to write to server property files, after which the attacker can bypass authentication and access the application.

Generated by OpenCVE AI on May 26, 2026 at 21:26 UTC.

Remediation

Vendor Solution

IBM strongly recommends addressing the vulnerability now by upgrading to iFixes detailed below: Affected Product(s)Version(s)Remediation/Fix/Instructions IBM Engineering Lifecycle Management - Jazz Foundation 7.0.3Download and install  iFix022 https://www.ibm.com/support/fixcentral/swg/downloadFixes IBM Engineering Lifecycle Management - Jazz Foundation 7.1.0Download and install  iFix010 https://www.ibm.com/support/fixcentral/swg/downloadFixes IBM Engineering Lifecycle Management - Jazz Foundation 7.2.0Download and install  iFix002 https://www.ibm.com/support/fixcentral/swg/downloadFixes

OpenCVE Recommended Actions

  • Download and install the iFix corresponding to your Jazz Foundation version: iFix022 for 7.0.3, iFix010 for 7.1.0, or iFix002 for 7.2.0.
  • Restrict file system permissions on the server property files so that only privileged system accounts can modify them, preventing unauthorized edits.
  • Configure monitoring or integrity checks on the server property files to promptly detect and alert on any unauthorized changes.

Generated by OpenCVE AI on May 26, 2026 at 21:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ibm:engineering_lifecycle_management:7.0.3:-:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.0.3:ifix002:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.0.3:ifix003:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.0.3:ifix004:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.0.3:ifix005:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.0.3:ifix006:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.0.3:ifix007:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.0.3:ifix008:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.0.3:ifix009:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.0.3:ifix010:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.0.3:ifix011:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.0.3:ifix012:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.0.3:ifix013:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.0.3:ifix014:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.0.3:ifix015:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.0.3:ifix016:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.0.3:ifix017:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.0.3:ifix018:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.0.3:ifix019:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.0.3:ifix020:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.0.3:ifix021:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.1.0:-:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.1.0:ifix001:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.1.0:ifix002:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.1.0:ifix003:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.1.0:ifix004:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.1.0:ifix005:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.1.0:ifix006:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.1.0:ifix007:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.1.0:ifix008:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.1.0:ifix009:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.2.0:-:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.2.0:ifix001:*:*:*:*:*:*

Tue, 26 May 2026 20:30:00 +0000

Type Values Removed Values Added
Description IBM Engineering Lifecycle Management 7.0.3 ( through ) Interim Fix 021, 7.1.0 ( through ) Interim Fix 009, and 7.2.0 ( through ) Interim Fix 001 could allow an unauthenticated remote attacker to update server property files that would allow them to gain unauthorized access to the application. IBM Engineering Lifecycle Management 7.0.3, 7.1.0, and 7.2.0 could allow an unauthenticated remote attacker to update server property files that would allow them to gain unauthorized access to the application.

Tue, 26 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 26 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description IBM Engineering Lifecycle Management 7.0.3 ( through ) Interim Fix 021, 7.1.0 ( through ) Interim Fix 009, and 7.2.0 ( through ) Interim Fix 001 could allow an unauthenticated remote attacker to update server property files that would allow them to gain unauthorized access to the application.
Title IBM Engineering Lifecycle Management - Jazz Foundation is vulnerable to Authentication Bypass
First Time appeared Ibm
Ibm engineering Lifecycle Management
Weaknesses CWE-863
CPEs cpe:2.3:a:ibm:engineering_lifecycle_management:7.0.3:ifix021:*:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.1.0:ifix009:*:*:*:*:*:*:*
cpe:2.3:a:ibm:engineering_lifecycle_management:7.2.0:ifix001:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm engineering Lifecycle Management
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Ibm Engineering Lifecycle Management
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-05-28T03:55:35.841Z

Reserved: 2026-03-06T19:56:15.891Z

Link: CVE-2026-3660

cve-icon Vulnrichment

Updated: 2026-05-26T19:19:14.090Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-26T19:16:27.707

Modified: 2026-05-29T19:31:59.120

Link: CVE-2026-3660

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T22:00:14Z

Weaknesses