SB2024070811 - Multiple vulnerabilities in IBM Robotic Process Automation
Published: July 8, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 10 secuirty vulnerabilities.
1) Open redirect (CVE-ID: CVE-2023-26159)
The vulnerability allows a remote attacker to redirect victims to arbitrary URL.
The vulnerability exists due to improper sanitization of user-supplied data within the url.parse() function. A remote attacker can create a link that leads to a trusted website, however, when clicked, redirects the victim to arbitrary domain.
Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.
2) Insufficient Control of Network Message Volume (CVE-ID: CVE-2024-25015)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can send a HTTP requests that would consume all available resources and perform a denial of service (DoS) attack.
3) Heap-based buffer overflow (CVE-ID: CVE-2024-25048)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper bounds checking. A remote attacker can overflow a buffer and execute arbitrary code on the system or cause the server to crash.
4) Improper input validation (CVE-ID: CVE-2024-20952)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The vulnerability exists due to improper input validation within the Security component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.
5) Observable discrepancy (CVE-ID: CVE-2023-33850)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to timing-based side channel in the RSA Decryption implementation. A remote attacker can send an overly large number of trial messages for decryption and gain unauthorized access to sensitive information on the system.
6) Resource management error (CVE-ID: CVE-2023-6237)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to the way the EVP_PKEY_public_check() function handles RSA public keys. A remote attacker can supply an RSA key obtained from an untrusted source and perform a denial of service (DoS) attack.
7) NULL pointer dereference (CVE-ID: CVE-2024-0727)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error when processing fields in the PKCS12 certificate. A remote attacker can pass specially crafted certificate to the server and perform a denial of service (DoS) attack.
8) Cleartext transmission of sensitive information (CVE-ID: CVE-2023-47745)
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to software uses insecure communication channel to transmit sensitive information. A local user with ability to intercept network traffic can gain access to sensitive data.
9) XML External Entity injection (CVE-ID: CVE-2023-4218)
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to some files with xml content are parsed vulnerable against all sorts of XXE attacks. A local user can trick the victim into opening a specially crafted XML code and view contents of arbitrary files on the system or initiate requests to external systems.
10) Input validation error (CVE-ID: CVE-2024-25016)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to incorrect buffering logic. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
Remediation
Install update from vendor's website.