SB2026062702 - Multiple vulnerabilities in IBM Storage Defender Copy Data Management

Description

This security bulletin contains information about 17 vulnerabilities.

1) Code Injection (CVE-ID: CVE-2026-33940)

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper control of code generation caused by type confusion in dynamic partial handling in lib/handlebars/runtime.js when processing a dynamic partial lookup that returns a crafted object from the template context. A remote attacker can supply a crafted object as the looked-up dynamic partial value to execute arbitrary code.

The issue affects server-side rendering scenarios in which user-controlled context data can be returned by a dynamic partial lookup, such as {{> (lookup . "key")}}. Exploitation requires control over a value returned by the dynamic partial lookup.

2) Improper Check for Unusual or Exceptional Conditions (CVE-ID: CVE-2026-33939)

CWE-ID: CWE-754 - Improper Check for Unusual or Exceptional Conditions

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper check for unusual or exceptional conditions in template compilation in lib/handlebars/compiler/javascript-compiler.js when processing user-supplied templates containing decorator syntax that references an unregistered decorator. A remote attacker can submit a specially crafted template to cause a denial of service.

The issue occurs because the compiled template invokes the result of lookupProperty(decorators, ...) as a function even when it is undefined, leading to an unhandled TypeError that can crash the Node.js process. It affects applications that compile user-supplied templates at request time.

3) Input validation error (CVE-ID: CVE-2026-41293)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to trigger unexpected application behavior.

The vulnerability exists due to improper input validation in HTTP/2 request header handling when exposing header values through the Servlet API. A remote attacker can send crafted HTTP/2 request headers to trigger unexpected application behavior.

This may affect applications that assume header values exposed through the Servlet API are specification compliant.

4) Improper access control (CVE-ID: CVE-2026-41635)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper access control in AbstractIoBuffer.resolveClass() when deserializing objects via IoBuffer.getObject(). A remote attacker can send a specially crafted serialized object to execute arbitrary code.

The issue affects the branch for static classes or primitive types, which bypasses the classname allowlist.

5) Deserialization of Untrusted Data (CVE-ID: CVE-2024-52046)

CWE-ID: CWE-502 - Deserialization of Untrusted Data

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data in ObjectSerializationDecoder. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

6) Deserialization of Untrusted Data (CVE-ID: CVE-2026-41409)

CWE-ID: CWE-502 - Deserialization of Untrusted Data

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to deserialization of untrusted data in AbstractIoBuffer.getObject() when deserializing untrusted objects. A remote attacker can supply a crafted serialized object to execute arbitrary code.

Only applications that call IoBuffer.getObject() are affected.

7) Code Injection (CVE-ID: CVE-2026-33941)

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a local user to execute arbitrary JavaScript code.

The vulnerability exists due to improper neutralization of user-controlled input in the Handlebars CLI precompiler when generating JavaScript output from template file names and CLI options. A local user can supply specially crafted template names or option values to execute arbitrary JavaScript code.

The issue affects bin/handlebars and lib/precompiler.js through multiple injection points involving template names, namespace values, CommonJS paths, and AMD paths, and the injected code executes when the generated bundle is loaded in Node.js or a browser. User interaction is required to load the generated bundle.

8) Improper access control (CVE-ID: CVE-2026-43515)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Green

The vulnerability allows a remote attacker to bypass security constraints.

The vulnerability exists due to improper access control in HTTP method constraint processing when evaluating multiple security constraints for the same extension pattern. A remote attacker can send a request using an improperly constrained HTTP method to bypass security constraints.

9) Code Injection (CVE-ID: CVE-2026-33938)

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to code injection through type confusion in the @partial-block handling and dynamic compilation fallback when processing a tampered @partial-block value during partial invocation. A remote attacker can overwrite @partial-block with a crafted Handlebars AST to execute arbitrary code.

The issue affects handlebars.js when templates can reach and mutate the data frame, and a subsequent {{> @partial-block}} causes the crafted AST to be compiled and executed in the server process.

10) Improper Handling of Case Sensitivity (CVE-ID: CVE-2026-43513)

CWE-ID: CWE-178 - Improper Handling of Case Sensitivity

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to weaken brute-force protection against a user's password.

The vulnerability exists due to improper input handling in LockOutRealm when processing case-insensitive user names. A remote attacker can vary the case of a user name during authentication attempts to weaken brute-force protection against a user's password.

This affects Realms where user names are treated as case insensitive.

11) Code Injection (CVE-ID: CVE-2026-33937)

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper control of code generation in Handlebars.compile() and the JavaScript code generator when processing a crafted pre-parsed AST object. A remote attacker can supply a crafted AST with a malicious NumberLiteral value to execute arbitrary code.

The issue affects cases where user-controlled JSON or other untrusted input is deserialized and passed directly to compile() as an AST object instead of a template string, and no user interaction is required.

12) Cross-site scripting (CVE-ID: CVE-2026-33916)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to execute arbitrary script code in a victim's browser.

The vulnerability exists due to improper neutralization of input during web page generation in resolvePartial() and invokePartial() in the Handlebars runtime when rendering a partial whose name is resolved through a polluted prototype chain. A remote attacker can pollute Object.prototype with a string value matching a partial reference to execute arbitrary script code in a victim's browser.

Exploitation requires a prototype pollution condition in the target application and user interaction to render a template that references the attacker-chosen partial name. The injected partial content is rendered without HTML escaping, which can result in reflected or stored cross-site scripting.

13) Protection Mechanism Failure (CVE-ID: CVE-2025-41249)

CWE-ID: CWE-693 - Protection Mechanism Failure

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to gain access to sensitive information. 

The vulnerability exists due to the annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. A remote attacker can gain access to sensitive information. 

14) Protection Mechanism Failure (CVE-ID: CVE-2025-41248)

CWE-ID: CWE-693 - Protection Mechanism Failure

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to the annotation detection mechanism does not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. A remote attacker can gain access to sensitive information. 

15) Improper authorization (CVE-ID: CVE-2025-41232)

CWE-ID: CWE-285 - Improper Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to compromise the affected application.

The vulnerability exists due to an error in Spring Security Aspects, that may not correctly locate method security annotations on private methods. A remote non-authenticated attacker can bypass authorization checks and gain unauthorized access to the application. 

The vulnerability affects system that:

1. use @EnableMethodSecurity(mode=ASPECTJ) and spring-security-aspects, and
2. have Spring Security method annotations on a private method

16) Improper authorization (CVE-ID: CVE-2025-22223)

CWE-ID: CWE-285 - Improper Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to bypass authorization process.

The vulnerability exists due to an error in @EnableMethodSecurity when locating method security annotations on parameterized types or methods. A remote non-authenticated attacker can bypass authorization process and gain access to sensitive information.

17) Improper Authentication (CVE-ID: CVE-2026-43512)

CWE-ID: CWE-287 - Improper Authentication

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Green

The vulnerability allows a remote attacker to authenticate as an unknown user.

The vulnerability exists due to improper authentication in the DIGEST authenticator when processing authentication for users not known to the configured Realm. A remote attacker can submit the password "null" for an unknown user to authenticate as an unknown user.

This occurs only when DIGEST authentication is configured.

Remediation

Install update from vendor's website.

References

• https://www.ibm.com/support/pages/node/7277815