SB2025040424 - Multiple vulnerabilities in IBM Tivoli Network Configuration Manager

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025040424

SB2025040424 - Multiple vulnerabilities in IBM Tivoli Network Configuration Manager

Published: April 4, 2025

Security Bulletin ID SB2025040424
Severity
Medium
Patch available
YES
Number of vulnerabilities 6
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 6 secuirty vulnerabilities.


1) Path traversal (CVE-ID: CVE-2024-38819)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in applications that serve static resources through the functional web frameworks WebMvc.fn or WebFlux.fn. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.


2) Security features bypass (CVE-ID: CVE-2022-22968)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to patterns for disallowedFields on a DataBinder are case sensitive, which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path. A remote attacker can bypass implemented security restrictions by passing case sensitive data to the application.


3) Input validation error (CVE-ID: CVE-2024-38828)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input  passed via Spring MVC controller method with @RequestBody byte[] parameter. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.


4) Resource exhaustion (CVE-ID: CVE-2024-38808)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when evaluating user-supplied SpEL expression. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


5) Input validation error (CVE-ID: CVE-2024-38809)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input when parsing ETags from "If-Match" or "If-None-Match" request headers. A remote attacker can send a specially crafted HTTP request to the application and perform a denial of service (DoS) attack.


6) Buffer overflow (CVE-ID: CVE-2024-47072)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error when processing unstrusted input. A remote attacker can pass a specially crafted stream to the application, trigger a stack overflow and perform a denial of service (DoS) attack.

Successful exploitation of this vulnerability requires that XStream is configured to use the BinaryStreamDriver.


Remediation

Install update from vendor's website.

References