SB2025112620 - Multiple vulnerabilities in IBM Storage Protect Server

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025112620

SB2025112620 - Multiple vulnerabilities in IBM Storage Protect Server

Published: November 26, 2025

Security Bulletin ID SB2025112620
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 9
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 56% Low 44%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 9 vulnerabilities.


1) Uncontrolled Memory Allocation (CVE-ID: CVE-2025-2518)

CWE-ID: CWE-789 - Uncontrolled Memory Allocation

CVSSv4: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote user can trigger resource exhaustion and perform a denial of service (DoS) attack.


2) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2025-0915)

CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient release of allocated memory resources. A remote user can trigger resource exhaustion and perform a denial of service (DoS) attack.


3) Memory leak (CVE-ID: CVE-2025-1992)

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

CVSSv4: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to perform DoS attack on the target system.

The vulnerability exists due to insufficient release of allocated memory after usage. A remote user can force the application to leak memory and perform denial of service attack.


4) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2025-1000)

CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper handling of automatic client rerouting when connecting to a z/OS database. A remote user can trigger resource exhaustion and perform a denial of service (DoS) attack.


5) Race condition (CVE-ID: CVE-2025-1493)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to perform a denial of service attack.

The vulnerability exists due to concurrent execution of shared resources. A remote user can exploit the race and gain unauthorized access to perform a denial of service attack.


6) Input validation error (CVE-ID: CVE-2024-52903)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote user can pass specially crafted input to the application and perform a denial of service (DoS) attack.


7) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2025-3050)

CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling

CVSSv4: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper allocation of CPU resources. A remote user can trigger resource exhaustion and perform a denial of service (DoS) attack.


8) Stack-based buffer overflow (CVE-ID: CVE-2024-49350)

CWE-ID: CWE-121 - Stack-based buffer overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to perform a denial of service attack.

The vulnerability exists due to server may crash under certain conditions with a specially crafted query. A remote unauthenticated user can send a specially crafted query, trigger stack-based buffer overflow and perform a denial of service attack.


9) Uncontrolled Recursion (CVE-ID: CVE-2024-7254)

CWE-ID: CWE-674 - Uncontrolled Recursion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation when parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields. A remote attacker can pass specially crafted input to the application to create unbounded recursions and perform a denial of service (DoS) attack.


Remediation

Install update from vendor's website.

References