SB2025031222 - Multiple vulnerabilities in IBM Planning Analytics

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025031222

SB2025031222 - Multiple vulnerabilities in IBM Planning Analytics

Published: March 12, 2025 Updated: August 22, 2025

Security Bulletin ID SB2025031222
Severity
Medium
Patch available
YES
Number of vulnerabilities 7
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 57% Low 43%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 7 secuirty vulnerabilities.


1) Improper input validation (CVE-ID: CVE-2024-21145)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The vulnerability exists due to improper input validation within the 2D component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.


2) Improper input validation (CVE-ID: CVE-2024-21144)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the Concurrency component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.


3) Improper input validation (CVE-ID: CVE-2024-21131)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The vulnerability exists due to improper input validation within the Hotspot component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.


4) Race condition (CVE-ID: CVE-2024-27267)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a race condition in ORB listener. A remote attacker can trigger a race condition and perform a denial of service (DoS) attack.


5) Information disclosure (CVE-ID: CVE-2023-50314)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. A remote attacker can use a certificate issued by a trusted authority to obtain sensitive information.


6) Uncontrolled Recursion (CVE-ID: CVE-2024-7254)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation when parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields. A remote attacker can pass specially crafted input to the application to create unbounded recursions and perform a denial of service (DoS) attack.


7) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2024-40094)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to GraphQL Java (aka graphql-java) does not properly consider ExecutableNormalizedFields (ENFs) as part of preventing denial of service via introspection queries. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


Remediation

Install update from vendor's website.

References