SB2026060453 - Multiple vulnerabilities in IBM Sterling Connect:Direct for Microsoft Windows

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026060453

SB2026060453 - Multiple vulnerabilities in IBM Sterling Connect:Direct for Microsoft Windows

Published: June 4, 2026

Security Bulletin ID SB2026060453
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 50% Low 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 vulnerabilities.


1) Input validation error (CVE-ID: CVE-2025-11143)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to a differential parsing of URIs between different components of the application. A remote attacker can use such behavior to bypass implemented security restrictions. 


2) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2026-2332)

CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to inject arbitrary HTTP requests.

The vulnerability exists due to inconsistent interpretation of HTTP requests in the chunked transfer encoding extension parser when parsing quoted strings in HTTP/1.1 chunked transfer encoding extension values. A remote attacker can send a specially crafted chunked HTTP request to inject arbitrary HTTP requests.

The issue occurs because CRLF sequences inside quoted strings are treated as chunk header terminators instead of parsing errors.


Remediation

Install update from vendor's website.

References