SB2025103054 - Splunk AppDynamics Private Synthetic Agent update for third-party components

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025103054

SB2025103054 - Splunk AppDynamics Private Synthetic Agent update for third-party components

Published: October 30, 2025

Security Bulletin ID SB2025103054
Severity
High
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 50% Low 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Improper Authentication (CVE-ID: CVE-2024-45159)

The vulnerability allows a remote attacker to authenticate with a wrong certificate.

The vulnerability exists due to an error when a server enables optional authentication of the client and TLS 1.3 is used. if the client-provided certificate does not have appropriate values in keyUsage or extKeyUsage extensions, then the return value of mbedtls_ssl_get_verify_result() would incorrectly have the MBEDTLS_X509_BADCERT_KEY_USAGE and  MBEDTLS_X509_BADCERT_EXT_KEY_USAGE bits
clear. As a result, an attacker that had a certificate valid for uses other than TLS client authentication could be able to use it for TLS client authentication anyway.


2) Heap-based buffer overflow (CVE-ID: CVE-2022-48622)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the ani_load_chunk() function in io-ani.c. A remote attacker can trick the victim to open a specially crafted .ani file, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


Remediation

Install update from vendor's website.

References