SB2025021024 - Multiple vulnerabilities in IBM Business Automation Insights
Published: February 10, 2025 Updated: November 28, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 17 secuirty vulnerabilities.
1) Incorrect Regular Expression (CVE-ID: CVE-2024-4067)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.
2) NULL pointer dereference (CVE-ID: CVE-2024-7006)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error in tif_dirinfo.c. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.
3) Out-of-bounds read (CVE-ID: CVE-2024-5535)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary condition within the SSL_select_next_proto() function when using NPN. A remote attacker can send specially crafted data to the application, trigger an out-of-bounds read and perform a denial of service (DoS) attack.
4) Input validation error (CVE-ID: CVE-2024-47175)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to ppdCreatePPDFromIPP2 does not sanitize IPP attributes when creating the PPD buffer. A remote attacker can inject attacker-controlled data in the resulting PPD.
5) Resource exhaustion (CVE-ID: CVE-2024-0450)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to the zipfile module does not properly control consumption of internal resources when extracting files from a zip archive. A remote attacker can pass a specially crafted archive aka zip-bomb to the application, trigger resource exhaustion and perform a denial of service (DoS) attack.
6) Asymmetric Resource Consumption (Amplification) (CVE-ID: CVE-2024-45590)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper handling of a large number of requests when url encoding is enabled. A remote attacker can send multiple requests to the server and perform a denial of service (DoS) attack.
7) Cross-site scripting (CVE-ID: CVE-2024-43800)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
8) Cross-site scripting (CVE-ID: CVE-2024-43796)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in response.redirect() method. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
9) Path traversal (CVE-ID: CVE-2024-38816)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences in applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.
Specifically, an application is vulnerable when both of the following are true:
- the web application uses
RouterFunctions</code> to serve static resources</li><li>resource handling is explicitly configured with a <code>FileSystemResourcelocation
10) Input validation error (CVE-ID: CVE-2024-38428)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to improper input validation of URL when parsing strings with semicolons within the scheme_leading_string() function in url.c. A remote attacker can pass a specially crafted URL to the application and influence its behavior in which data that was supposed to be in the userinfo subcomponent is misinterpreted to be part of the host subcomponent.
11) Resource exhaustion (CVE-ID: CVE-2024-34158)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to go/build/constraint does not properly control consumption of internal resources when calling Parse on a "// +build" build tag line with deeply nested expressions. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
12) Resource exhaustion (CVE-ID: CVE-2024-34156)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to encoding/gob does not properly control consumption of internal resources when calling Decoder.Decode. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
Note, this vulnerability is related to #VU66068 (CVE-2024-34156).
13) Resource exhaustion (CVE-ID: CVE-2024-34155)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to go/parser does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
14) Information disclosure (CVE-ID: CVE-2023-50314)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application. A remote attacker can use a certificate issued by a trusted authority to obtain sensitive information.
15) Prototype pollution (CVE-ID: CVE-2022-24999)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation. A remote attacker can send a specially crafted request and perform a denial of service (DoS) attack.
16) Inefficient regular expression complexity (CVE-ID: CVE-2024-52798)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation when processing untrusted input with a regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.17) Input validation error (CVE-ID: CVE-2024-47561)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insufficient validation of user-supplied input when parsing schema in Java SDK. A remote attacker can pass specially crafted schema to the application and execute arbitrary code on the system.
Remediation
Install update from vendor's website.