SB20241015124 - Multiple vulnerabilities in Oracle Communications Cloud Native Core DBTier 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB20241015124

SB20241015124 - Multiple vulnerabilities in Oracle Communications Cloud Native Core DBTier

Published: October 15, 2024 Updated: December 4, 2024

Security Bulletin ID SB20241015124
Severity
Medium
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Resource exhaustion (CVE-ID: CVE-2024-0450)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to the zipfile module does not properly control consumption of internal resources when extracting files from a zip archive. A remote attacker can pass a specially crafted archive aka zip-bomb to the application, trigger resource exhaustion and perform a denial of service (DoS) attack.


2) Path traversal (CVE-ID: CVE-2024-38816)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.

Specifically, an application is vulnerable when both of the following are true:

  • the web application uses RouterFunctions</code> to serve static resources</li><li>resource handling is explicitly configured with a <code>FileSystemResource location


Remediation

Install update from vendor's website.

References