SB2025041040 - Multiple vulnerabilities in IBM Business Automation Manager Open Editions
Published: April 10, 2025 Updated: June 20, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 34 secuirty vulnerabilities.
1) Improper access control (CVE-ID: CVE-2015-0277)
The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to Service Provider (SP) in PicketLink does not ensure that it is a member of an Audience element when an AudienceRestriction is specified. A remote user can log in to other users' accounts via a crafted SAML assertion.
2) Inefficient regular expression complexity (CVE-ID: CVE-2024-45296)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation when processing untrusted input with a regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.
3) Buffer overflow (CVE-ID: CVE-2024-47072)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error when processing unstrusted input. A remote attacker can pass a specially crafted stream to the application, trigger a stack overflow and perform a denial of service (DoS) attack.
Successful exploitation of this vulnerability requires that XStream is configured to use the BinaryStreamDriver.
4) Resource exhaustion (CVE-ID: CVE-2024-5971)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to response writes hand when using Java 17 TLSv1.3 NewSessionTicket. A remote attacker can perform a denial of service (DoS) attack.
5) Input validation error (CVE-ID: CVE-2024-6162)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input when handling url-encoded request path information. A remote attacker can send a specially crafted HTTP request to the application and perform a denial of service (DoS) attack.
6) Information disclosure (CVE-ID: CVE-2024-7885)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to insecure sharing of resources where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests. As a result, different requests may share the same StringBuilder instance, potentially leading to information leakage between requests or responses. In some cases, a value from a previous request or response may be erroneously reused, which could lead to unintended data exposure.
7) Code Injection (CVE-ID: CVE-2024-6345)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation when processing URL in the package_index module of pypa/setuptools. A remote attacker can send a specially crafted request and execute arbitrary code on the target system via download functions.
8) Cryptographic issues (CVE-ID: CVE-2014-5075)
The vulnerability allows a remote attacker to gain access to spoof SSL servers.
The vulnerability exists due to Ignite Realtime Smack XMPP API when a custom SSLContext is used, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate. A remote attacker can perform a man-in-the-middle attack to spoof SSL servers via an arbitrary valid certificate.
9) Insufficient verification of data authenticity (CVE-ID: CVE-2015-6254)
The vulnerability allows a remote user to affect vulnerable system.
The vulnerability exists due to (1) Service Provider (SP) and (2) Identity Provider (IdP) in PicketLink does not ensure that the Destination attribute in a Response element in a SAML assertion matches the location from which the message was received. A remote user can make unspecified impact via unknown vectors.
10) Inadequate Encryption Strength (CVE-ID: CVE-2024-41909)
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to incorrect implementation of the SSH Binary Packet Protocol (BPP), which mishandles the handshake phase and the use of sequence numbers. A remote attacker can perform MitM attack and delete the SSH2_MSG_EXT_INFO message sent before authentication starts, allowing the attacker to disable a subset of the keystroke timing obfuscation features and perform "Terrapin attack".
11) Cross-site scripting (CVE-ID: CVE-2019-14862)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data within the xlink:href attributes. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
12) Information disclosure (CVE-ID: CVE-2023-0833)
The vulnerability allows a remote user to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the OKHttp component. A remote user can send a specially crafted request to the server containing a header with an illegal value and disclose potentially sensitive information.
13) Information disclosure (CVE-ID: CVE-2024-31141)
The vulnerability allows a remote user to escalate privileges within the application.
The vulnerability exists due to the way Apache Kafka Clients handles custom configurations. A remote user with access to REST API can read arbitrary files and variables on the system and escalate their privileges filesystem/environment access.
14) Resource management error (CVE-ID: CVE-2024-47535)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to an unsafe reading of an environment file on Windows. A local user can create an overly large file and perform a denial of service (DoS) attack.
15) Input validation error (CVE-ID: CVE-2024-38809)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input when parsing ETags from "If-Match" or "If-None-Match" request headers. A remote attacker can send a specially crafted HTTP request to the application and perform a denial of service (DoS) attack.
16) Resource exhaustion (CVE-ID: CVE-2024-38808)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when evaluating user-supplied SpEL expression. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
17) Inadequate encryption strength (CVE-ID: CVE-2023-48795)
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to incorrect implementation of the SSH Binary Packet Protocol (BPP), which mishandles the handshake phase and the use of sequence numbers. A remote attacker can perform MitM attack and delete the SSH2_MSG_EXT_INFO message sent before authentication starts, allowing the attacker to disable a subset of the keystroke timing obfuscation features introduced in OpenSSH 9.5.
The vulnerability was dubbed "Terrapin attack" and it affects both client and server implementations.
18) Infinite loop (CVE-ID: CVE-2024-30172)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop in the Ed25519 verification code. A remote attacker can pass a specially signature and public key to the application, consume all available system resources and cause denial of service conditions.
19) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2024-50379)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to missing access restrictions to the default servlet. If the default servlet is write enabled (readonly initialisation parameter set to the non-default value of false) for a case insensitive file system, concurrent read and upload under load of the same file can bypass Tomcat's case sensitivity checks and cause an uploaded file to be treated as a JSP leading to remote code execution.
20) Cross-site scripting (CVE-ID: CVE-2020-11023)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data when passing <option> elements to jQuery’s DOM manipulation methods. A remote attacker can execute arbitrary JavaScript code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
21) Cross-site scripting (CVE-ID: CVE-2020-11022)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in the regex operation in "jQuery.htmlPrefilter". A remote attacker can pass specially crafted data to the application that uses .html()</code>, <code>.append() or similar methods for it and execute arbitrary JavaScript code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
22) HTTP response splitting (CVE-ID: CVE-2019-20445)
The vulnerability allows a remote attacker to perform HTTP splitting attacks.
The vulnerability exists due to software does not corrector process CRLF character sequences within the HttpObjectDecoder.java in Netty, which allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header. A remote attacker can send specially crafted request containing CRLF sequence and make the application to send a split HTTP response.
Successful exploitation of the vulnerability may allow an attacker perform cache poisoning attack.
23) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2019-20444)
The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.
The vulnerability exists due to incorrect processing of HTTP headers without the colon within the HttpObjectDecoder.java file in Netty. A remote attacker can send a specially crafted HTTP request to the application and perform HTTP request smuggling attack.
24) Code Injection (CVE-ID: CVE-2023-24540)
The vulnerability allows a remote attacker to execute arbitrary JavaScript code.
The vulnerability exists due to improper input validation when processing whitespace characters. A remote attacker can send a specially crafted request and execute arbitrary JavaScript code.
25) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2024-29736)
The disclosed vulnerability allows a remote attacker to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input passed via the WADL stylesheet parameter. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.
Successful exploitation of this vulnerability requires that a custom stylesheet parameter is configured.
26) Resource exhaustion (CVE-ID: CVE-2024-23672)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can keep WebSocket connections open for a long time to trigger resource exhaustion and perform a denial of service (DoS) attack.
27) Deserialization of Untrusted Data (CVE-ID: CVE-2023-6378)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insecure input validation when processing serialized data in logback receiver component. A remote attacker can pass specially crafted data to the application and cause a denial of service condition on the target system.
28) Incorrect authorization (CVE-ID: CVE-2020-7692)
The vulnerability allows a remote attacker to bypass authorization process.
The vulnerability exists due to missing support for PKCE. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized. An attacker is able to obtain the authorization code using a malicious app on the client-side and use it to gain authorization to the protected resource.
29) Improper access control (CVE-ID: CVE-2021-20250)
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote non-authenticated attacker can gain unauthorized access to sensitive information.
30) XML External Entity injection (CVE-ID: CVE-2021-33813)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to insufficient validation of user-supplied XML input within the SAXBuilder. A remote attacker can pass a specially crafted XML code to the affected application and view contents of arbitrary files on the system or initiate requests to external systems.
Successful exploitation of the vulnerability may allow an attacker to view contents of arbitrary file on the server or perform network scanning of internal and external infrastructure.
31) Information disclosure (CVE-ID: CVE-2021-40690)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. A remote attacker can abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.
32) Incorrect Regular Expression (CVE-ID: CVE-2022-21681)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to regular expression `inline.reflinkSearch` may cause catastrophic backtracking against some strings. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.
33) Resource exhaustion (CVE-ID: CVE-2023-5685)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources in NotifierState, when the chain of notifier states becomes problematically large. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
34) Improper Authorization (CVE-ID: CVE-2023-6236)
The vulnerability allows a remote user to bypass certain security restrictions.
The vulnerability exists in the OidcSessionTokenStore when determining if a cached token should be used or not. When an OIDC app that serves multiple tenants attempts to access the
second tenant, it should prompt the user to log in again since the
second tenant is secured with a different OIDC configuration. A remote user can gain unauthorized access to the second tenant.
Remediation
Install update from vendor's website.