Multiple vulnerabilities in IBM Storage Protect Server
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 9 |
| CVE-ID | CVE-2025-2518 CVE-2025-0915 CVE-2025-1992 CVE-2025-1000 CVE-2025-1493 CVE-2024-52903 CVE-2025-3050 CVE-2024-49350 CVE-2024-7254 |
| CWE-ID | CWE-789 CWE-770 CWE-401 CWE-362 CWE-20 CWE-121 CWE-674 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Storage Protect Server Other software / Other software solutions |
| Vendor | IBM Corporation |
Security Bulletin
This security bulletin contains information about 9 vulnerabilities.
1) Uncontrolled Memory Allocation
EUVDB-ID: #VU110188
Risk: Low
CVSSv4.0: 2.3 [CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-2518
CWE-ID:
CWE-789 - Uncontrolled Memory Allocation
Exploit availability: No
DescriptionThe vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources. A remote user can trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsStorage Protect Server: before 8.1.27.100
CPE2.3 External linkshttps://www.ibm.com/support/pages/node/7249983
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Allocation of Resources Without Limits or Throttling
EUVDB-ID: #VU113107
Risk: Medium
CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-0915
CWE-ID:
CWE-770 - Allocation of Resources Without Limits or Throttling
Exploit availability: No
DescriptionThe vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient release of allocated memory resources. A remote user can trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsStorage Protect Server: before 8.1.27.100
CPE2.3 External linkshttps://www.ibm.com/support/pages/node/7249983
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Memory leak
EUVDB-ID: #VU113108
Risk: Low
CVSSv4.0: 2.3 [CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-1992
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote user to perform DoS attack on the target system.
The vulnerability exists due to insufficient release of allocated memory after usage. A remote user can force the application to leak memory and perform denial of service attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsStorage Protect Server: before 8.1.27.100
CPE2.3 External linkshttps://www.ibm.com/support/pages/node/7249983
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Allocation of Resources Without Limits or Throttling
EUVDB-ID: #VU113110
Risk: Medium
CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-1000
CWE-ID:
CWE-770 - Allocation of Resources Without Limits or Throttling
Exploit availability: No
DescriptionThe vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper handling of automatic client rerouting when connecting to a z/OS database. A remote user can trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsStorage Protect Server: before 8.1.27.100
CPE2.3 External linkshttps://www.ibm.com/support/pages/node/7249983
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Race condition
EUVDB-ID: #VU113111
Risk: Medium
CVSSv4.0: 2.3 [CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-1493
Exploit availability: No
DescriptionThe vulnerability allows a remote user to perform a denial of service attack.
The vulnerability exists due to concurrent execution of shared resources. A remote user can exploit the race and gain unauthorized access to perform a denial of service attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsStorage Protect Server: before 8.1.27.100
CPE2.3 External linkshttps://www.ibm.com/support/pages/node/7249983
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Input validation error
EUVDB-ID: #VU113112
Risk: Low
CVSSv4.0: 2.3 [CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-52903
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input. A remote user can pass specially crafted input to the application and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsStorage Protect Server: before 8.1.27.100
CPE2.3 External linkshttps://www.ibm.com/support/pages/node/7249983
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Allocation of Resources Without Limits or Throttling
EUVDB-ID: #VU110179
Risk: Low
CVSSv4.0: 2.3 [CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-3050
CWE-ID:
CWE-770 - Allocation of Resources Without Limits or Throttling
Exploit availability: No
DescriptionThe vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper allocation of CPU resources. A remote user can trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsStorage Protect Server: before 8.1.27.100
CPE2.3 External linkshttps://www.ibm.com/support/pages/node/7249983
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Stack-based buffer overflow
EUVDB-ID: #VU110189
Risk: Medium
CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-49350
CWE-ID:
CWE-121 - Stack-based buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote user to perform a denial of service attack.
The vulnerability exists due to server may crash under certain conditions with a specially crafted query. A remote unauthenticated user can send a specially crafted query, trigger stack-based buffer overflow and perform a denial of service attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsStorage Protect Server: before 8.1.27.100
CPE2.3 External linkshttps://www.ibm.com/support/pages/node/7249983
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Uncontrolled Recursion
EUVDB-ID: #VU97574
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-7254
CWE-ID:
CWE-674 - Uncontrolled Recursion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation when parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields. A remote attacker can pass specially crafted input to the application to create unbounded recursions and perform a denial of service (DoS) attack.
Install update from vendor's website.
Vulnerable software versionsStorage Protect Server: before 8.1.27.100
CPE2.3 External linkshttps://www.ibm.com/support/pages/node/7249983
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
