SB2026031036 - Multiple vulnerabilities in IBM DevOps Code ClearCase
Published: March 10, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) XML External Entity injection (CVE-ID: CVE-2024-12801)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to insufficient validation of user-supplied XML input in SaxEventRecorder. A remote attacker can pass a specially crafted configuration XML file to the affected application and view contents of arbitrary files on the system or initiate requests to external systems.
Successful exploitation of the vulnerability may allow an attacker to view contents of arbitrary file on the server or perform network scanning of internal and external infrastructure.
2) Input validation error (CVE-ID: CVE-2025-11226)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insufficient validation of user-supplied input when parsing configuration file. A remote attacker can trick the victim into using a specially crafted configuration file and execute arbitrary code on the system.
Successful exploitation of the vulnerability requires presence of Janino library and Spring Framework on the user's class path.
3) Input validation error (CVE-ID: CVE-2026-1225)
The vulnerability allows a local privileged user to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input. A local privileged user can instantiate classes already present on the class path by compromising an existing logback configuration file. The instantiation of a potentially malicious Java class requires that said class is present on the user's class-path. In addition, the attacker must have write access to a configuration file.
Remediation
Install update from vendor's website.