SB2025041684 - Multiple vulnerabilities in Primavera Gateway
Published: April 16, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Resource exhaustion (CVE-ID: CVE-2024-47554)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when handling untrusted input passed to the org.apache.commons.io.input.XmlStreamReader class. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
2) Resource management error (CVE-ID: CVE-2024-57699)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the application when handling a specially crafted JSON input. A remote attacker can pass a large number of ’{’ characters to the application and perform a denial of service (DoS) attack.
Note, the vulnerability exists due to incomplete fix for #VU75044 (CVE-2023-1370).
3) Uncontrolled Recursion (CVE-ID: CVE-2024-7254)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation when parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields. A remote attacker can pass specially crafted input to the application to create unbounded recursions and perform a denial of service (DoS) attack.
Remediation
Install update from vendor's website.