CVE-2026-14979 PUBLISHED

IBM Engineering Lifecycle Management - Jazz Foundation is vulnerable to XML Entity Expansion attack

Assigner: ibm
Reserved: 07.07.2026 Published: 17.07.2026 Updated: 17.07.2026

IBM Engineering Lifecycle Management 7.0.3 ( Interim Fix 001 through ) Interim Fix 021, 7.1.0 ( Interim Fix 001 through ) Interim Fix 009, and 7.2.0 and 7.2.0 Interim Fix 001 DOORS could allow a remote attacker to cause a denial of service due to improper handling of XML entity expansion.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVSS Score: 5.3

Product Status

Vendor IBM
Product Engineering Lifecycle Management
Versions
  • affected from 7.0.3 ( Interim Fix 001 to ) Interim Fix 021 (incl.)
  • affected from 7.1.0 ( Interim Fix 001 to ) Interim Fix 009 (incl.)
  • Version 7.2.0 and 7.2.0 Interim Fix 001 is affected

Solutions

IBM strongly recommends addressing the vulnerability now by upgrading to iFixes detailed below:

Affected Product(s)Version(s)Remediation/Fix/Instructions

IBM Engineering Lifecycle Management - Jazz Foundation

7.0.3Download and install  iFix022 https://www.ibm.com/support/fixcentral/swg/downloadFixes

IBM Engineering Lifecycle Management - Jazz Foundation

7.1.0Download and install  iFix010 https://www.ibm.com/support/fixcentral/swg/downloadFixes

IBM Engineering Lifecycle Management - Jazz Foundation

7.2.0Download and install  iFix002 https://www.ibm.com/support/fixcentral/swg/downloadFixes

References

Problem Types

  • CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') CWE