SB2025012219 - Multiple vulnerabilities in JD Edwards EnterpriseOne Tools

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025012219

SB2025012219 - Multiple vulnerabilities in JD Edwards EnterpriseOne Tools

Published: January 22, 2025 Updated: January 31, 2025

Security Bulletin ID SB2025012219
Severity
High
Patch available
YES
Number of vulnerabilities 22
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 14% Medium 68% Low 18%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 22 secuirty vulnerabilities.


1) Improper input validation (CVE-ID: CVE-2025-21517)

The vulnerability allows a remote authenticated user to manipulate data.

The vulnerability exists due to improper input validation within the Web Runtime SEC component in JD Edwards EnterpriseOne Tools. A remote authenticated user can exploit this vulnerability to manipulate data.


2) Improper input validation (CVE-ID: CVE-2025-21514)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Web Runtime SEC component in JD Edwards EnterpriseOne Tools. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.


3) Out-of-bounds read (CVE-ID: CVE-2024-27280)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in the "ungetbyte" and "ungetc" methods. A remote attacker can trigger an out-of-bounds read error and read contents of memory on the system.


4) Improper input validation (CVE-ID: CVE-2025-21507)

The vulnerability allows a remote authenticated user to read and manipulate data.

The vulnerability exists due to improper input validation within the Web Runtime SEC component in JD Edwards EnterpriseOne Tools. A remote authenticated user can exploit this vulnerability to read and manipulate data.


5) Improper input validation (CVE-ID: CVE-2024-21245)

The vulnerability allows a remote authenticated user to read and manipulate data.

The vulnerability exists due to improper input validation within the Business Logic Infra SEC component in JD Edwards EnterpriseOne Tools. A remote authenticated user can exploit this vulnerability to read and manipulate data.


6) Inadequate encryption strength (CVE-ID: CVE-2023-48795)

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to incorrect implementation of the SSH Binary Packet Protocol (BPP), which mishandles the handshake phase and the use of sequence numbers. A remote attacker can perform MitM attack and delete the SSH2_MSG_EXT_INFO message sent before authentication starts, allowing the attacker to disable a subset of the keystroke timing obfuscation features introduced in OpenSSH 9.5.

The vulnerability was dubbed "Terrapin attack" and it affects both client and server implementations.


7) Improper input validation (CVE-ID: CVE-2025-21538)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The vulnerability exists due to improper input validation within the Web Runtime SEC component in JD Edwards EnterpriseOne Tools. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.


8) Improper input validation (CVE-ID: CVE-2025-21513)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The vulnerability exists due to improper input validation within the Web Runtime SEC component in JD Edwards EnterpriseOne Tools. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.


9) Improper input validation (CVE-ID: CVE-2025-21512)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The vulnerability exists due to improper input validation within the Web Runtime SEC component in JD Edwards EnterpriseOne Tools. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.


10) Open redirect (CVE-ID: CVE-2024-29041)

The vulnerability allows a remote attacker to redirect victims to arbitrary URL.

The vulnerability exists due to improper sanitization of user-supplied data in malformed URLs. A remote attacker can create a link that leads to a trusted website, however, when clicked, redirects the victim to arbitrary domain.

Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.


11) Improper input validation (CVE-ID: CVE-2025-21527)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The vulnerability exists due to improper input validation within the Design Tools SEC component in JD Edwards EnterpriseOne Tools. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.


12) State Issues (CVE-ID: CVE-2023-6129)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to an error in POLY1305 MAC (message authentication code) implementation on PowerPC CPU based platforms if the CPU provides vector instructions. A remote attacker can perform a denial of service (DoS) attack.


13) Improper input validation (CVE-ID: CVE-2025-21509)

The vulnerability allows a remote authenticated user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Web Runtime SEC component in JD Edwards EnterpriseOne Tools. A remote authenticated user can exploit this vulnerability to perform a denial of service (DoS) attack.


14) Improper input validation (CVE-ID: CVE-2025-21508)

The vulnerability allows a remote authenticated user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Web Runtime SEC component in JD Edwards EnterpriseOne Tools. A remote authenticated user can exploit this vulnerability to perform a denial of service (DoS) attack.


15) Incorrect default permissions (CVE-ID: CVE-2023-2976)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to incorrect default permissions in com.google.common.io.FileBackedOutputStream. A local user with access to the system can view contents of files and directories or modify them.


16) Improper input validation (CVE-ID: CVE-2025-21511)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Web Runtime SEC component in JD Edwards EnterpriseOne Tools. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.


17) Improper input validation (CVE-ID: CVE-2025-21510)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Web Runtime SEC component in JD Edwards EnterpriseOne Tools. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.


18) Path traversal (CVE-ID: CVE-2023-4782)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to input validation error when processing directory traversal sequences during the "init" operation if run on maliciously crafted Terraform configuration. A local user can overwrite arbitrary files on the system and escalate privileges.


19) Reachable Assertion (CVE-ID: CVE-2024-27983)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a reachable assertion when handling HTTP/2 packets. A remote attacker can send a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside and perform a denial of service (DoS) attack.


20) Improper input validation (CVE-ID: CVE-2025-21515)

The vulnerability allows a remote authenticated user to execute arbitrary code.

The vulnerability exists due to improper input validation within the Web Runtime SEC component in JD Edwards EnterpriseOne Tools. A remote authenticated user can exploit this vulnerability to execute arbitrary code.


21) Improper Authorization (CVE-ID: CVE-2023-3961)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to improper input validation when handling client pipe names. A remote attacker can provide a specially crafted pipe name containing directory traversal characters and force Samba to connect to Unix domain sockets outside of the private directory meant to restrict the services a client could connect to.The connection to Unix domain sockets is performed as root, which means that if client sends a pipe name that resolved to an external service using an existing Unix domain socket, the client is able to connect to it without any filesystem restrictions.


22) Improper input validation (CVE-ID: CVE-2025-21524)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The vulnerability exists due to improper input validation within the Monitoring and Diagnostics SEC component in JD Edwards EnterpriseOne Tools. A remote non-authenticated attacker can exploit this vulnerability to execute arbitrary code.


Remediation

Install update from vendor's website.

References