Multiple vulnerabilities in IBM Cloud Pak for Business Automation

1) Improper validation of integrity check value

EUVDB-ID: #VU89685

Risk: Medium

CVSSv4.0: 4.8 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-3727

CWE-ID: CWE-354 - Improper Validation of Integrity Check Value

Exploit availability: No

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to improper validation of integrity check. A remote attacker can trick the victim into providing authenticated registry accesses, causing resource exhaustion, local path traversal, and other attacks.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Resource exhaustion

EUVDB-ID: #VU97215

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-34155

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to go/parser does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Cross-site scripting

EUVDB-ID: #VU98131

Risk: Medium

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-43800

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Observable discrepancy

EUVDB-ID: #VU86309

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-45287

CWE-ID: CWE-203 - Observable discrepancy

Exploit availability: No

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to a timing discrepancy when handling RSA based TLS key exchanges. A remote attacker can perform a Marvin attack and gain access to sensitive information.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Improper access control

EUVDB-ID: #VU33632

Risk: High

CVSSv4.0: 7.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2016-5386

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The net/http package in Go through 1.6 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Inconsistent interpretation of HTTP requests

EUVDB-ID: #VU21783

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2015-5739

CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

Exploit availability: No

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Weak password requirements

EUVDB-ID: #VU41617

Risk: Medium

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-15115

CWE-ID: CWE-521 - Weak Password Requirements

Exploit availability: No

The vulnerability allows an attacker to perform brute-force attack and guess the password.

The vulnerability exists due to weak password requirements in etcd. An attacker can perform a brute-force attack and guess users' passwords.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Infinite loop

EUVDB-ID: #VU87326

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-24786

CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Exploit availability: No

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop when parsing data in an invalid JSON format within the protojson.Unmarshal() function. A remote attacker can consume all available system resources and cause denial of service conditions.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Insufficient verification of data authenticity

EUVDB-ID: #VU86049

Risk: Medium

CVSSv4.0: 2.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-24557

CWE-ID: CWE-345 - Insufficient Verification of Data Authenticity

Exploit availability: No

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to insufficient verification of data authenticity. A remote attacker can poison victim´s cache by making them pull a specially crafted image that would be considered as a valid cache candidate for some build steps.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Resource exhaustion

EUVDB-ID: #VU97217

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-34158

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to go/build/constraint does not properly control consumption of internal resources when calling Parse on a "// +build" build tag line with deeply nested expressions. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Security features bypass

EUVDB-ID: #VU85991

Risk: High

CVSSv4.0: 7.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber]

CVE-ID: CVE-2024-21626

CWE-ID: CWE-254 - Security Features

Exploit availability: Yes

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to an internal file descriptor leak that can cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace or a malicious image to allow a container process to gain access to the host filesystem through runc run. A remote attacker can trick the victim into loading a malicious image to bypass sandbox restrictions and execute arbitrary code on the host OS.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.

12) Command Injection

EUVDB-ID: #VU89067

Risk: Low

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-3154

CWE-ID: CWE-77 - Command injection

Exploit availability: No

The vulnerability allows a remote user to execute arbitrary commands on the target system.

The vulnerability exists due to the systemd property injection. A remote administrator can pass specially crafted data to the application and execute arbitrary commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Cross-site scripting

EUVDB-ID: #VU79294

Risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-3978

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Integer overflow

EUVDB-ID: #VU58522

Risk: Medium

CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-43784

CWE-ID: CWE-190 - Integer overflow

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer overflow in netlink bytemsg length field. A remote authenticated attacker can pass specially crafted data to the application, trigger integer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Command Injection

EUVDB-ID: #VU97744

Risk: High

CVSSv4.0: 9.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber]

CVE-ID: CVE-2024-47177

CWE-ID: CWE-77 - Command injection

Exploit availability: Yes

The vulnerability allows a remote attacker to execute arbitrary commands on the target system.

The vulnerability exists due to improper input validation in FoomaticRIPCommandLine. A remote unauthenticated attacker can use a specially crafted PPD file and execute arbitrary commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.

16) Input validation error

EUVDB-ID: #VU97742

Risk: High

CVSSv4.0: 8.8 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:A/U:Amber]

CVE-ID: CVE-2024-47076

CWE-ID: CWE-20 - Improper input validation

Exploit availability: Yes

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to cfGetPrinterAttributes5 does not sanitize IPP attributes returned from an IPP server. A remote attacker can provide controlled data to the rest of the CUPS system.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.

17) Missing Authorization

EUVDB-ID: #VU97743

Risk: High

CVSSv4.0: 9.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber]

CVE-ID: CVE-2024-47176

CWE-ID: CWE-862 - Missing Authorization

Exploit availability: Yes

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to missing authorization. A remote attacker can introduce a malicious printer to the system by sending specially crafted packets to port 631/UDP and then execute arbitrary OS commands on the system when a print job is started.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.

18) XML External Entity injection

EUVDB-ID: #VU98498

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-28168

CWE-ID: CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

Exploit availability: No

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to insufficient validation of user-supplied XML input. A remote attacker can pass a specially crafted XML code to the affected application and view contents of arbitrary files on the system or initiate requests to external systems.

Successful exploitation of the vulnerability may allow an attacker to view contents of arbitrary file on the server or perform network scanning of internal and external infrastructure.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

19) Resource exhaustion

EUVDB-ID: #VU97216

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-34156

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to encoding/gob does not properly control consumption of internal resources when calling Decoder.Decode. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

Note, this vulnerability is related to #VU66068 (CVE-2024-34156).

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

20) Input validation error

EUVDB-ID: #VU93077

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-38428

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to improper input validation of URL when parsing strings with semicolons within the scheme_leading_string() function in url.c. A remote attacker can pass a specially crafted URL to the application and influence its behavior in which data that was supposed to be in the userinfo subcomponent is misinterpreted to be part of the host subcomponent.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

21) Allocation of Resources Without Limits or Throttling

EUVDB-ID: #VU98137

Risk: Medium

CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2024-40094

CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling

Exploit availability: Yes

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to GraphQL Java (aka graphql-java) does not properly consider ExecutableNormalizedFields (ENFs) as part of preventing denial of service via introspection queries. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

22) Input validation error

EUVDB-ID: #VU93518

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-37370

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

23) Resource exhaustion

EUVDB-ID: #VU94709

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-0760

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion by sending a flood of DNS messages over TCP and perform a denial of service (DoS) attack.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

24) Out-of-bounds read

EUVDB-ID: #VU93519

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-37371

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition when handling GSS message token. A remote attacker can send specially crafted token to the application, trigger an out-of-bounds read error and read contents of memory on the system.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

25) Resource exhaustion

EUVDB-ID: #VU86378

Risk: Medium

CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2023-50868

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: Yes

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation when processing DNSSEC related records. A remote attacker can trigger resource exhaustion by forcing the DNS server to query a specially crafted DNSSEC zone and perform a denial of service (DoS) attack.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

26) Input validation error

EUVDB-ID: #VU72618

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-24329

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The vulnerability allows a remote attacker to bypass implemented filters.

The vulnerability exists due to insufficient validation of URLs that start with blank characters within urllib.parse component of Python. A remote attacker can pass specially crafted URL to bypass existing filters.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

27) Infinite loop

EUVDB-ID: #VU89296

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-24788

CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Exploit availability: No

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop when processing DNS responses. A remote attacker can send a specially crafted DNS response to the application and cause denial of service conditions.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

28) Resource exhaustion

EUVDB-ID: #VU93850

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-24791

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper handling of "Expect: 100-continue" HTTP requests. A remote attacker can send multiple such requests and consume all available resources.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

29) Path traversal

EUVDB-ID: #VU80585

Risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-41105

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

30) Resource exhaustion

EUVDB-ID: #VU86377

Risk: Medium

CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2023-50387

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: Yes

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation when processing DNSSEC related records. A remote attacker can trigger resource exhaustion by forcing the DNS server to query a specially crafted DNSSEC zone and perform a denial of service (DoS) attack.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

31) Path traversal

EUVDB-ID: #VU97224

Risk: Medium

CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2024-38816

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.

Specifically, an application is vulnerable when both of the following are true:

• the web application uses RouterFunctions</code> to serve static resources</li><li>resource handling is explicitly configured with a <code>FileSystemResource location

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

32) Cross-site scripting

EUVDB-ID: #VU103644

Risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-52365

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

The disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote user can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

33) Resource exhaustion

EUVDB-ID: #VU96019

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-38808

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when evaluating user-supplied SpEL expression. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

34) Incorrect Regular Expression

EUVDB-ID: #VU96716

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-39249

CWE-ID: CWE-185 - Incorrect Regular Expression

Exploit availability: No

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

35) Reliance on Reverse DNS Resolution for a Security-Critical Action

EUVDB-ID: #VU103643

Risk: High

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2023-31442

CWE-ID: CWE-350 - Reliance on Reverse DNS Resolution for a Security-Critical Action

Exploit availability: No

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to async-dns resolver (used by Discovery in DNS mode and transitively by Cluster Bootstrap) uses predictable DNS transaction IDs when resolving DNS records. A remote attacker can exploit the vulnerability to perform a denial of service attack.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

36) Race condition

EUVDB-ID: #VU91723

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-35255

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Exploit availability: No

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a race condition in Azure Identity Libraries and Microsoft Authentication Library. A local user can elevate privileges and read any file on the file system.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

37) Cross-site scripting

EUVDB-ID: #VU97768

Risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-43799

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in the "SendStream.redirect()" function. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

38) Cross-site scripting

EUVDB-ID: #VU97209

Risk: Medium

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-43796

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in response.redirect() method. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

39) Incorrect Regular Expression

EUVDB-ID: #VU92406

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-4067

CWE-ID: CWE-185 - Incorrect Regular Expression

Exploit availability: No

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

40) Incorrect Privilege Assignment

EUVDB-ID: #VU103641

Risk: Low

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-49348

CWE-ID: CWE-266 - Incorrect Privilege Assignment

Exploit availability: No

The vulnerability allows a remote attacker to modify data on the system.

The vulnerability exists due to IBM Business Automation Workflow allows restricting access to organizational data to valid contexts. A remote attacker can reassign tasks of type comment via API implicitly to gain access to user queries in an unexpected context.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

41) Uncontrolled Recursion

EUVDB-ID: #VU97574

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-7254

CWE-ID: CWE-674 - Uncontrolled Recursion

Exploit availability: No

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation when parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields. A remote attacker can pass specially crafted input to the application to create unbounded recursions and perform a denial of service (DoS) attack.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

42) Input validation error

EUVDB-ID: #VU98760

Risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-47764

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient validation of user-supplied cookies. A remote attacker can pass a specially crafted cookie to the application and alter values passed to the application.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

43) Information disclosure

EUVDB-ID: #VU96058

Risk: Low

CVSSv4.0: 0.6 [CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-50314

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. A remote attacker can use a certificate issued by a trusted authority to obtain sensitive information.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

44) Information disclosure

EUVDB-ID: #VU88177

Risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-30260

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the application clears Authorization and Proxy-Authorization headers during cross-origin redirects for the fetch() method, however does not clear them for the undici.request() method, which can leak sensitive information to an unauthorized party.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

45) Insufficient verification of data authenticity

EUVDB-ID: #VU88178

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-30261

CWE-ID: CWE-345 - Insufficient Verification of Data Authenticity

Exploit availability: No

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to the application does not verify authenticity of data. A remote attacker can alter the "integrity" option passed to fetch(), allowing fetch() to accept requests as valid even if they have been tampered.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

46) Asymmetric Resource Consumption (Amplification)

EUVDB-ID: #VU97208

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-45590

CWE-ID: CWE-405 - Asymmetric Resource Consumption (Amplification)

Exploit availability: No

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper handling of a large number of requests when url encoding is enabled. A remote attacker can send multiple requests to the server and perform a denial of service (DoS) attack.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

47) Inefficient regular expression complexity

EUVDB-ID: #VU98132

Risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-45296

CWE-ID: CWE-1333 - Inefficient Regular Expression Complexity

Exploit availability: No

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing untrusted input with a regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

48) Input validation error

EUVDB-ID: #VU98024

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2024-47561

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to insufficient validation of user-supplied input when parsing schema in Java SDK. A remote attacker can pass specially crafted schema to the application and execute arbitrary code on the system.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

49) Cross-site scripting

EUVDB-ID: #VU103637

Risk: Medium

CVSSv4.0: 1.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-52364

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

50) Type Confusion

EUVDB-ID: #VU96744

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-6119

CWE-ID: CWE-843 - Type confusion

Exploit availability: No

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a type confusion error when performing certificate name checks. A remote attacker can supply a specially crafted X.509 certificate to the server, trigger a type confusion error and perform a denial of service (DoS) attack.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

51) Resource exhaustion

EUVDB-ID: #VU98025

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-47554

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when handling untrusted input passed to the org.apache.commons.io.input.XmlStreamReader class. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

52) Resource exhaustion

EUVDB-ID: #VU94711

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-1975

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. If a server hosts a zone containing a "KEY" Resource Record, or a resolver DNSSEC-validates a "KEY" Resource Record from a DNSSEC-signed domain in cache, a client can exhaust resolver CPU resources by sending a stream of SIG(0) signed requests.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

53) Security features bypass

EUVDB-ID: #VU98795

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-38820

CWE-ID: CWE-254 - Security Features

Exploit availability: No

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to String.toLowerCase() has some Locale dependent exceptions when handling case insensitive patterns in DataBinder. A remote attacker can bypass implemented security restrictions by passing specially crafted data to the application.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

54) Improper error handling

EUVDB-ID: #VU101027

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-21536

CWE-ID: CWE-388 - Error Handling

Exploit availability: No

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to an UnhandledPromiseRejection error thrown by micromatch. A remote non-authenticated attacker can send specially crafted request to the application and crash the Node.js process.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

55) Improper input validation

EUVDB-ID: #VU98644

Risk: Medium

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-21235

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The vulnerability exists due to improper input validation within the Hotspot component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

56) Improper input validation

EUVDB-ID: #VU98648

Risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-21217

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the Serialization component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

57) Improper input validation

EUVDB-ID: #VU98645

Risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-21210

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The vulnerability exists due to improper input validation within the Hotspot component in Oracle Java SE. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

58) Improper input validation

EUVDB-ID: #VU98647

Risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-21208

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the Networking component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

59) Out-of-bounds read

EUVDB-ID: #VU87208

Risk: Medium

CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-48161

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition within the DumpSCreen2RGB() function in gif2rgb.c. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

60) Resource management error

EUVDB-ID: #VU94710

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-1737

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the application when handling a very large number of RRs. Resolver caches and authoritative zone databases that hold significant numbers of RRs for the same hostname (of any RTYPE) can suffer from degraded performance as content is being added or updated, and also when handling client queries for this name.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

61) Reachable assertion

EUVDB-ID: #VU94713

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-4076

CWE-ID: CWE-617 - Reachable Assertion

Exploit availability: No

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a reachable assertion when serving both stale cache data and authoritative zone content. A remote attacker can send specially crafted queries to the DNS server to trigger an assertion failure and perform a denial of service (DoS) attack.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

62) Information disclosure

EUVDB-ID: #VU73703

Risk: Low

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-0833

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the OKHttp component. A remote user can send a specially crafted request to the server containing a header with an illegal value and disclose potentially sensitive information.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

63) Resource exhaustion

EUVDB-ID: #VU89218

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-29857

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to library does not properly control consumption of internal resources when importing an EC certificate with specially crafted F2m parameters. A remote attacker can pass a specially crafted certificate to the application to trigger resource exhaustion and perform a denial of service (DoS) attack.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

64) NULL pointer dereference

EUVDB-ID: #VU96001

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-7006

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in tif_dirinfo.c. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

65) Out-of-bounds read

EUVDB-ID: #VU93424

Risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-5535

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary condition within the SSL_select_next_proto() function when using NPN. A remote attacker can send specially crafted data to the application, trigger an out-of-bounds read and perform a denial of service (DoS) attack.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

66) Input validation error

EUVDB-ID: #VU97745

Risk: High

CVSSv4.0: 8.8 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:A/U:Amber]

CVE-ID: CVE-2024-47175

CWE-ID: CWE-20 - Improper input validation

Exploit availability: Yes

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to ppdCreatePPDFromIPP2 does not sanitize IPP attributes when creating the PPD buffer. A remote attacker can inject attacker-controlled data in the resulting PPD.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.

67) Incorrect Regular Expression

EUVDB-ID: #VU100921

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-21538

CWE-ID: CWE-185 - Incorrect Regular Expression

Exploit availability: No

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

68) Server-Side Request Forgery (SSRF)

EUVDB-ID: #VU96050

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-39338

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

Exploit availability: No

The disclosed vulnerability allows a remote attacker to perform SSRF attacks.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.

Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

69) Improper authorization

EUVDB-ID: #VU101777

Risk: Medium

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2024-45337

CWE-ID: CWE-285 - Improper Authorization

Exploit availability: Yes

The vulnerability allows a remote attacker to gain unauthorized access to the application.

The vulnerability exists due to improper authorization caused by improper usage of the ServerConfig.PublicKeyCallback callback. A remote attacker can bypass authorization in certain cases and gain access to the application.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

70) Information disclosure

EUVDB-ID: #VU101654

Risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-11053

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to an error when using a .netrc file for credentials and an instruction to follow HTTP redirects. The cURL library can leak credentials intended for the first URL prior to redirection. This however will only occur if the .netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

71) Resource exhaustion

EUVDB-ID: #VU88184

Risk: Medium

CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2023-45288

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: Yes

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

72) Observable discrepancy

EUVDB-ID: #VU89219

Risk: Medium

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-30171

CWE-ID: CWE-203 - Observable discrepancy

Exploit availability: No

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to a possible timing based leakage in RSA based handshakes. A remote attacker can gain access to sensitive information.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

73) Improper input validation

EUVDB-ID: #VU94555

Risk: Medium

CVSSv4.0: 6.9 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-21147

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The vulnerability exists due to improper input validation within the Hotspot component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

74) Infinite loop

EUVDB-ID: #VU89220

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-30172

CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Exploit availability: No

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop in the Ed25519 verification code. A remote attacker can pass a specially signature and public key to the application, consume all available system resources and cause denial of service conditions.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

75) Prototype pollution

EUVDB-ID: #VU99556

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-48910

CWE-ID: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes (\'Prototype Pollution\')

Exploit availability: No

The vulnerability allows a remote attacker to perform XSS attacks.

The vulnerability exists due to improper input validation. A remote attacker can pass specially crafted input to the application and perform prototype pollution, which can result in information disclosure or data manipulation.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

76) Race condition

EUVDB-ID: #VU97226

Risk: Medium

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-27267

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Exploit availability: No

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a race condition in ORB listener. A remote attacker can trigger a race condition and perform a denial of service (DoS) attack.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

77) Improper input validation

EUVDB-ID: #VU94559

Risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-21131

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The vulnerability exists due to improper input validation within the Hotspot component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

78) Improper input validation

EUVDB-ID: #VU94560

Risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-21138

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the Hotspot component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

79) Improper input validation

EUVDB-ID: #VU94558

Risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-21144

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the Concurrency component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

80) Improper input validation

EUVDB-ID: #VU94557

Risk: Medium

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-21140

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The vulnerability exists due to improper input validation within the Hotspot component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

81) Improper input validation

EUVDB-ID: #VU94556

Risk: Medium

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-21145

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The vulnerability exists due to improper input validation within the 2D component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.

Install update from vendor's website.

IBM Cloud Pak for Business Automation: before 21.0.3-IF039

• cpe:2.3:a:ibm_corporation:ibm_cloud_pak_for_business_automation:*:*:*:*:*:*:*:*

http://www.ibm.com/support/pages/node/7182403

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.