SB20250416155 - Multiple vulnerabilities in Siebel CRM Cloud Applications

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB20250416155

SB20250416155 - Multiple vulnerabilities in Siebel CRM Cloud Applications

Published: April 16, 2025

Security Bulletin ID SB20250416155
CSH Severity
High
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

High 50% Low 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 vulnerabilities.


1) UNIX symbolic link following (CVE-ID: CVE-2024-42367)

CWE-ID: CWE-61 - UNIX Symbolic Link (Symlink) Following

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to a symlink following issue when handling static routes which contain files with compressed variants in the FileResponse class even when "follow_symlinks=False" is set. A remote attacker can pass a specially crafted file to the application and perform directory traversal attacks.


2) Incorrect authorization (CVE-ID: CVE-2024-9902)

CWE-ID: CWE-863 - Incorrect Authorization

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to an error within the ansible-core `user` module. A local user can silently create or replace the contents of any file on any system path and take ownership of it when a privileged user executes the `user` module against the unprivileged user's home directory. If the unprivileged user has traversal permissions on the directory containing the exploited target file, they retain full control over the contents of the file as its owner.


Remediation

Install update from vendor's website.

References