SB2026050554 - Multiple vulnerabilities in IBM Storage Defender Copy Data Management
Published: May 5, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 12 secuirty vulnerabilities.
1) Use of a broken or risky cryptographic algorithm (CVE-ID: CVE-2026-29146)
The vulnerability allows a remote attacker to decrypt protected communications.
The vulnerability exists due to the use of a padding-oracle-prone cryptographic mode in EncryptInterceptor when processing encrypted traffic with the default CBC configuration. A remote attacker can perform a padding oracle attack to decrypt protected communications.
2) Command Injection (CVE-ID: CVE-2021-23337)
The vulnerability allows a remote user to execute arbitrary commands on the system.
The vulnerability exists due to improper input validation when processing templates. A remote privileged user can inject and execute arbitrary commands on the system.
3) Code Injection (CVE-ID: CVE-2026-4800)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper control of code generation in _.template when processing untrusted options.imports key names. A remote attacker can supply crafted imports key names to execute arbitrary code.
Code execution occurs at template compilation time. If Object.prototype has been polluted by another vector, inherited polluted keys can also be copied into the imports object and passed to Function().
4) Prototype pollution (CVE-ID: CVE-2025-13465)
The vulnerability allows a remote attacker to alter application's behavior.
The vulnerability exists due to improper input validation within the in the _.unset and _.omit functions. A remote attacker can pass specially crafted input to the application and delete methods from global prototypes.
5) Prototype pollution (CVE-ID: CVE-2026-2950)
The vulnerability allows a remote attacker to modify object prototype attributes.
The vulnerability exists due to improper control of object prototype modification in _.unset and _.omit when processing array-wrapped path segments. A remote attacker can pass crafted path segments to modify object prototype attributes.
The bypass affects checks that only guard against string key members. The issue permits deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype, but does not allow overwriting their original behavior.
6) Improper Encoding or Escaping of Output (CVE-ID: CVE-2026-34483)
The vulnerability allows a remote attacker to inject arbitrary JSON into the JSON access log.
The vulnerability exists due to incomplete escaping in the JSON access log when handling requests with non-default Connector attributes relaxedPathChars and/or relaxedQueryChars. A remote attacker can send a specially crafted request to inject arbitrary JSON into the JSON access log.
Only configurations using non-default values for relaxedPathChars and/or relaxedQueryChars are affected.
7) Improper Certificate Validation (CVE-ID: CVE-2026-29145)
The vulnerability allows a remote user to bypass certificate revocation checks during authentication.
The vulnerability exists due to improper certificate validation in CLIENT_CERT authentication when processing OCSP checks in some scenarios with soft fail disabled. A remote user can present a certificate in affected scenarios to bypass certificate revocation checks during authentication.
Only some scenarios are affected when soft fail is disabled.
8) Open redirect (CVE-ID: CVE-2026-25854)
The vulnerability allows a remote attacker to redirect users to an arbitrary URI.
The vulnerability exists due to improper input validation in LoadBalancerDrainingValve when handling a specially crafted URL while a Tomcat node is in the disabled (draining) state. A remote attacker can send a specially crafted URL to redirect users to an arbitrary URI.
Only clustered deployments using LoadBalancerDrainingValve in the disabled (draining) state are affected.
9) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2026-24880)
The vulnerability allows a remote attacker to perform request smuggling.
The vulnerability exists due to improper input validation in HTTP/1.1 chunk extension handling when parsing chunked requests. A remote attacker can send a specially crafted request with an invalid chunk extension to perform request smuggling.
Exploitation requires a reverse proxy in front of Tomcat that allows CRLF sequences in an otherwise valid chunk extension.
10) Improper authorization (CVE-ID: CVE-2026-24734)
The vulnerability allows a remote attacker to bypass authorization checks.
The vulnerability exists due to incomplete OCSP verification checks. When using an OCSP responder, Tomcat's FFM integration with OpenSSL does not complete verification or freshness checks on the OCSP response. A remote attacker can bypass certificate revocation and gain unauthorized access to the application.
11) Protection mechanism failure (CVE-ID: CVE-2026-24733)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient implementation of security measures when handling HTTP/0.9 requests. If the server is configured to allow HEAD requests to a URI but deny GET requests, an attacker can bypass that constraint on GET requests by sending a (specification invalid) HEAD request.
12) Improper authorization (CVE-ID: CVE-2025-66614)
The vulnerability allows a remote attacker to bypass client certificate verification.
The vulnerability exists due to Tomcat does not validate that the host name provided via the SNI extension is the same as the host name provided in the HTTP host header field. If there is more than one virtual host configured and the TLS configuration for one of those hosts does not require client certificate authentication, it is possible for a client to bypass the client certificate authentication for the target host by sending different host names in the SNI extension and the HTTP host header field.
Remediation
Install update from vendor's website.