Multiple vulnerabilities in IBM Financial Transaction Manager (FTM) for RedHat OpenShift
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 5 |
| CVE-ID | CVE-2025-53905 CVE-2025-53906 CVE-2025-6395 CVE-2025-32990 CVE-2025-32988 |
| CWE-ID | CWE-22 CWE-476 CWE-415 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Financial Transaction Manager for RedHat OpenShift Other software / Other software solutions |
| Vendor | IBM Corporation |
Security Bulletin
This security bulletin contains information about 5 vulnerabilities.
1) Path traversal
EUVDB-ID: #VU112980
Risk: High
CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2025-53905
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to input validation error when processing directory traversal sequences in tar.vim plugin. A remote attacker can trick the victim into opening a specially crafted archive and overwrite arbitrary files on the system, leading to remote code execution.
MitigationInstall update from vendor's website.
Vulnerable software versionsFinancial Transaction Manager for RedHat OpenShift: 3.2.13 - 4.0.7.0
CPE2.3- cpe:2.3:a:ibm_corporation:financial_transaction_manager_for_redhat_openshift:3.2.13:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:financial_transaction_manager_for_redhat_openshift:3.2.13:iFix1:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:financial_transaction_manager_for_redhat_openshift:3.2.13:iFix2:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7248125
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Path traversal
EUVDB-ID: #VU112979
Risk: High
CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2025-53906
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to input validation error when processing directory traversal sequences in zip.vim plugin. A remote attacker can trick the victim into opening a specially crafted archive and overwrite arbitrary files on the system, leading to remote code execution.
MitigationInstall update from vendor's website.
Vulnerable software versionsFinancial Transaction Manager for RedHat OpenShift: 3.2.13 - 4.0.7.0
CPE2.3- cpe:2.3:a:ibm_corporation:financial_transaction_manager_for_redhat_openshift:3.2.13:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:financial_transaction_manager_for_redhat_openshift:3.2.13:iFix1:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:financial_transaction_manager_for_redhat_openshift:3.2.13:iFix2:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7248125
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) NULL pointer dereference
EUVDB-ID: #VU112995
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-6395
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error when a TLS 1.3 handshake involves a Hello Retry Request and the second Client Hello omits the PSK which was present in the first Client Hello. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsFinancial Transaction Manager for RedHat OpenShift: 3.2.13 - 4.0.7.0
CPE2.3- cpe:2.3:a:ibm_corporation:financial_transaction_manager_for_redhat_openshift:3.2.13:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:financial_transaction_manager_for_redhat_openshift:3.2.13:iFix1:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:financial_transaction_manager_for_redhat_openshift:3.2.13:iFix2:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7248125
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) NULL pointer dereference
EUVDB-ID: #VU112994
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-32990
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error when the certtool program is invoked with a template file with a number of string pairs for a single keyword. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsFinancial Transaction Manager for RedHat OpenShift: 3.2.13 - 4.0.7.0
CPE2.3- cpe:2.3:a:ibm_corporation:financial_transaction_manager_for_redhat_openshift:3.2.13:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:financial_transaction_manager_for_redhat_openshift:3.2.13:iFix1:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:financial_transaction_manager_for_redhat_openshift:3.2.13:iFix2:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7248125
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Double free
EUVDB-ID: #VU112993
Risk: Medium
CVSSv4.0: 4.8 [CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-32988
CWE-ID:
CWE-415 - Double Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when exporting a certificate with an otherName in the SAN (subject alternative name) extension. A remote attacker can trick the victim into export a specially crafted certificate, trigger a double free error on the ASN.1 structure and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsFinancial Transaction Manager for RedHat OpenShift: 3.2.13 - 4.0.7.0
CPE2.3- cpe:2.3:a:ibm_corporation:financial_transaction_manager_for_redhat_openshift:3.2.13:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:financial_transaction_manager_for_redhat_openshift:3.2.13:iFix1:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:financial_transaction_manager_for_redhat_openshift:3.2.13:iFix2:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7248125
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
