SB2025042219 - Multiple vulnerabilities in IBM Cloud Pak for Security 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025042219

SB2025042219 - Multiple vulnerabilities in IBM Cloud Pak for Security

Published: April 22, 2025 Updated: June 13, 2025

Security Bulletin ID SB2025042219
Severity
Critical
Patch available
YES
Number of vulnerabilities 54
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Critical 2% Medium 50% Low 48%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 54 secuirty vulnerabilities.


1) Use of uninitialized resource (CVE-ID: CVE-2023-25585)

The vulnerability allows a local user to bypass certain security restrictions.

The vulnerability exists due to usage of uninitialized field in the struct module *module. A local user can trick the victim into opening specially crafted data, leading to an application crash and local denial of service.


2) Code Injection (CVE-ID: CVE-2025-1302)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation. A remote attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode.


3) Infinite loop (CVE-ID: CVE-2018-18700)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a stack consumption vulnerability resulting from infinite recursion in the functions d_name(), d_encoding(), and d_local_name() in cp-demangle.c. Remote attackers could leverage this vulnerability to cause a denial-of-service via an ELF file, as demonstrated by nm.


4) Out-of-bounds read (CVE-ID: CVE-2019-12972)

The vulnerability allows an attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to heap-based buffer over-read condition within the "_bfd_doprnt" function in the "bfd.c" file in the Binary File Descriptor (BFD) library. A local attacker can pass a malformed ELF binary to the affected application and perform a denial of service attack.


5) Resource exhaustion (CVE-ID: CVE-2019-16163)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

Oniguruma before 6.9.3 allows Stack Exhaustion in regcomp.c because of recursion in regparse.c.


6) Insecure Temporary File (CVE-ID: CVE-2020-15250)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to the application is using the test rule TemporaryFolder that stores sensitive information in temporary files in the system temporary directory, accessible by other system users. A local user can read temporary files and obtain sensitive information, related to the application.


7) Input validation error (CVE-ID: CVE-2020-35493)

The vulnerability allows a local attacker to perform a denial of service attack.

The vulnerability exists in bfd/pef.c. A local attacker can send a specially crafted PEF file and perform a denial of service attack.


8) Use of uninitialized resource (CVE-ID: CVE-2020-35494)

The vulnerability allows a local user to bypass certain security restrictions.

The vulnerability exists due to usage of uninitialized resources in binutils /opcodes/tic4x-dis.c. A local user can submit a crafted input file to be processed by binutils, trigger uninitialized usage of resources and bypass implemented security mechanisms.


9) NULL pointer dereference (CVE-ID: CVE-2020-35495)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error. A local user can submit a crafted input file to be processed by the objdump program and perform a denial of service (DoS) attack.


10) NULL pointer dereference (CVE-ID: CVE-2020-35496)

The vulnerability allows a local attacker to perform a denial of service (DoS) attack.

The vulnerability exists in bfd_pef_scan_start_address() of bfd/pef.c in binutils. A local attacker can trick the victim into opening a specially crafted data and perform a denial of service (DoS) attack.


11) NULL pointer dereference (CVE-ID: CVE-2020-35507)

The vulnerability allows a local attacker to perform a denial of service (DoS) attack.

The vulnerability exists in bfd_pef_parse_function_stubs of bfd/pef.c in binutils. A local attacker can trick the victim into opening a specially crafted data and perform a denial of service (DoS) attack.


12) Heap-based buffer overflow (CVE-ID: CVE-2023-1972)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error within the _bfd_elf_slurp_version_tables() function in bfd/elf.c. A remote attacker can pass specially crafted file to the application, trigger a heap-based buffer overflow and perform a denial of service (DoS) attack.


13) Out-of-bounds read (CVE-ID: CVE-2023-25584)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary condition within the parse_module() function in bfd/vms-alpha.c. A remote attacker can pass specially crafted input to the application, trigger an out-of-bounds read error and perform a denial of service (DoS) attack.


14) Use of uninitialized resource (CVE-ID: CVE-2023-25588)

The vulnerability allows a local user to perform a denial of service attack.

The vulnerability exists due to field `the_bfd` of `asymbol`struct is uninitialized in the `bfd_mach_o_get_synthetic_symtab` function. A local user can trick the victim into opening specially crafted data, leading to an application crash and local denial of service.


15) Uncontrolled Memory Allocation (CVE-ID: CVE-2024-4068)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to NPM package `braces` fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. A remote attacker can send "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.


16) Incorrect Resource Transfer Between Spheres (CVE-ID: CVE-2024-29018)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application within external DNS requests from "internal" networks. A remote attacker can gain unauthorized access to sensitive information on the system.


17) Cross-site scripting (CVE-ID: CVE-2025-26791)

The disclosed vulnerability allows a remote attacker to perform mutation cross-site scripting (XSS) attacks.

The vulnerability exists due to DOMPurify has an incorrect template literal regular expression. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


18) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2024-42461)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to an error when handling BER-encoded ECDSA signatures. A remote attacker can bypass signature-based security checks.


19) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2024-42460)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to an error when handling ECDSA signatures. A remote attacker can bypass signature-based security checks.

20) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2024-42459)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to an error when handling EDDSA signatures. A remote attacker can bypass signature-based security checks.

21) Cross-site scripting (CVE-ID: CVE-2024-43788)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in AutoPublicPathRuntimeModule. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


22) Heap-based buffer overflow (CVE-ID: CVE-2018-12699)

The vulnerability allows a local attacker to cause DoS condition on the target system.

The vulnerability exists due to heap-based buffer overflow in the finish_stab function, as defined in the stabs.c source code file. A local attacker can execute the objdump command, trigger memory corruption and cause the service to crash.


23) Improper neutralization of argument delimiters in a command (CVE-ID: CVE-2025-21613)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation when handling URL field in arguments passed to the git-upload-pack command. A remote attacker can trick the victim into passing a specially crafted URL as a flag to the affected command and manipulate arguments for the git-upload-pack command, which can result in information disclosure.


24) Resource exhaustion (CVE-ID: CVE-2025-21614)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when handling responses from a malicious Git server. A remote attacker can trick the victim into connecting to a malicious Git server and perform a denial of service (DoS) attack.


25) Incorrect Comparison (CVE-ID: CVE-2023-45133)

The vulnerability allows a local user to execute arbitrary code on the target system.

The vulnerability exists in '@babel/traverse' and `babel-traverse`. A local user can execute arbitrary code during compilation, when using plugins that rely on the `path.evaluate()`or `path.evaluateTruthy()` internal Babel methods.


26) Path traversal (CVE-ID: CVE-2024-29180)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to webpack-dev-middleware development middleware for devpack does not validate the supplied URL address sufficiently before returning the local file. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.


27) Improper verification of cryptographic signature (CVE-ID: CVE-2024-48948)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to incorrect validation of valid signatures if the hash contains at least four leading 0 bytes and when the order of the elliptic curve's base point is smaller than the hash, because of an _truncateToN anomaly. Such behavior leads to valid signatures being rejected.


28) Improper input validation (CVE-ID: CVE-2025-21502)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The vulnerability exists due to improper input validation within the Hotspot component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.


29) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2024-6763)

The disclosed vulnerability allows a remote attacker to perform SSRF attacks.

The vulnerability exists due to insufficient validation of user-supplied input in HttpURI. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.

Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.


30) Resource exhaustion (CVE-ID: CVE-2023-51775)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion via large p2c (aka PBES2 Count) value and perform a denial of service (DoS) attack.


31) Resource exhaustion (CVE-ID: CVE-2023-52428)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper validation of user requests by the PasswordBasedDecrypter (PBKDF2) component. A remote attacker can send a specially crafted request using a large JWE p2c header, trigger resource exhaustion and perform a denial of service (DoS) attack.


32) Insecure Storage of Sensitive Information (CVE-ID: CVE-2024-10041)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to software stores secrets in memory in plain text. A local user can read the memory and obtain passwords in plain text when PAM is used to perform authentication.


33) Improper authentication (CVE-ID: CVE-2024-10963)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error in pam_access module where certain rules in its configuration file are mistakenly treated as hostnames. A remote attacker can bypass authentication process and gain unauthorized access to the system.


34) Improper input validation (CVE-ID: CVE-2024-21068)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The vulnerability exists due to improper input validation within the Hotspot component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.


35) Resource exhaustion (CVE-ID: CVE-2024-22201)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when handling HTTP/2 connections. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


36) Improper access control (CVE-ID: CVE-2024-23944)

The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in persistent watchers. A remote user can bypass implemented security restrictions and obtain user names or login identifiers.


37) Information disclosure (CVE-ID: CVE-2024-45336)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the HTTP client will send Authorization header to a third-party domain after a chain of redirects. A remote attacker can gain unauthorized access to credentials.


38) Resource management error (CVE-ID: CVE-2024-47535)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to an unsafe reading of an environment file on Windows. A local user can create an overly large file and perform a denial of service (DoS) attack.


39) Resource management error (CVE-ID: CVE-2024-57699)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the application when handling a specially crafted JSON input. A remote attacker can pass a large number of ’{’ characters to the application and perform a denial of service (DoS) attack.

Note, the vulnerability exists due to incomplete fix for #VU75044 (CVE-2023-1370).


40) Uncontrolled Recursion (CVE-ID: CVE-2023-1370)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to uncontrolled recursion when processing nested arrays and objects. A remote attacker can pass specially crafted JSON data to the application and perform a denial of service (DoS) attack.


41) Uncontrolled Recursion (CVE-ID: CVE-2024-7254)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation when parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields. A remote attacker can pass specially crafted input to the application to create unbounded recursions and perform a denial of service (DoS) attack.


42) Infinite loop (CVE-ID: CVE-2024-55565)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop. A remote user can consume all available system resources and cause denial of service conditions.


43) Resource exhaustion (CVE-ID: CVE-2024-8184)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources within the ThreadLimitHandler.getRemote() function. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


44) Memory leak (CVE-ID: CVE-2025-22866)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to a small number of bits of secret scalars are leaked on the ppc64le architecture in crypto/internal/nistec. A local user can gain access to potentially sensitive information.


45) Input validation error (CVE-ID: CVE-2025-24970)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in SslHandler when using native SSLEngine. A remote attacker can send a specially crafted packet to the application and perform a denial of service (DoS) attack.


46) Resource exhaustion (CVE-ID: CVE-2025-25193)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to application attempts to load a file that does not exist. A local user can create a large file on the system and crash the application.

Note, the vulnerability affects Windows installations only.


47) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2025-27152)

The disclosed vulnerability allows a remote attacker to perform SSRF attacks.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.

Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.


48) Inefficient regular expression complexity (CVE-ID: CVE-2025-27789)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing untrusted input with a regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.


49) Inefficient regular expression complexity (CVE-ID: CVE-2024-45813)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing untrusted input with a regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.


50) Code Injection (CVE-ID: CVE-2024-12798)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper input validation in JaninoEventEvaluator extension when handling environment variables. A local user can inject specially crafted data into environment variables and execute arbitrary code with elevated privileges.


51) XML External Entity injection (CVE-ID: CVE-2024-12801)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to insufficient validation of user-supplied XML input in SaxEventRecorder. A remote attacker can pass a specially crafted configuration XML file to the affected application and view contents of arbitrary files on the system or initiate requests to external systems.

Successful exploitation of the vulnerability may allow an attacker to view contents of arbitrary file on the server or perform network scanning of internal and external infrastructure.


52) Incorrect Regular Expression (CVE-ID: CVE-2024-21538)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.


53) Improper authorization (CVE-ID: CVE-2024-45337)

The vulnerability allows a remote attacker to gain unauthorized access to the application.

The vulnerability exists due to improper authorization caused by improper usage of the ServerConfig.PublicKeyCallback callback. A remote attacker can bypass authorization in certain cases and gain access to the application.


54) Inefficient regular expression complexity (CVE-ID: CVE-2024-52798)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing untrusted input with a regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.

Remediation

Install update from vendor's website.

References