SB2025012816 - Multiple vulnerabilities in IBM Cloud Transformation Advisor 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025012816

SB2025012816 - Multiple vulnerabilities in IBM Cloud Transformation Advisor

Published: January 28, 2025

Security Bulletin ID SB2025012816
Severity
Medium
Patch available
YES
Number of vulnerabilities 8
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 25% Low 75%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 8 secuirty vulnerabilities.


1) Inefficient regular expression complexity (CVE-ID: CVE-2024-52798)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing untrusted input with a regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.

2) Input validation error (CVE-ID: CVE-2024-47764)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient validation of user-supplied cookies. A remote attacker can pass a specially crafted cookie to the application and alter values passed to the application.


3) Incorrect Regular Expression (CVE-ID: CVE-2024-21538)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.


4) Improper input validation (CVE-ID: CVE-2024-21235)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The vulnerability exists due to improper input validation within the Hotspot component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.


5) Improper input validation (CVE-ID: CVE-2024-21217)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the Serialization component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.


6) Improper input validation (CVE-ID: CVE-2024-21210)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The vulnerability exists due to improper input validation within the Hotspot component in Oracle Java SE. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.


7) Improper input validation (CVE-ID: CVE-2024-21208)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the Networking component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.


8) Integer overflow (CVE-ID: CVE-2024-10917)

The vulnerability allows a remote attacker to bypass security restrictions.

The vulnerability exists due to return of an incorrect value which has wrapped around by the JNI function GetStringUTFLength. A remote attacker can pass specially crafted data to the application, trigger integer overflow and bypass security restrictions.


Remediation

Install update from vendor's website.

References