SB2025060536 - Multiple vulnerabilities in IBM Concert Software
Published: June 5, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 22 secuirty vulnerabilities.
1) Cross-site scripting (CVE-ID: CVE-2020-11023)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data when passing <option> elements to jQuery’s DOM manipulation methods. A remote attacker can execute arbitrary JavaScript code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
2) Use-after-free (CVE-ID: CVE-2022-49043)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the xmlXIncludeAddNode() function in xinclude.c. A remote attacker can pass specially crafted XML input to the application, trigger a use-after-free error and crash the application or potentially execute arbitrary code.
3) Improper authentication (CVE-ID: CVE-2024-12797)
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to an error when using RFC7250 Raw Public Keys (RPKs) to authenticate a server. TLS and DTLS connections using raw public keys are vulnerable to man-in-middle attacks when server authentication failure is not detected by clients.
Note, the vulnerability can be exploited only when TLS clients explicitly enable RPK use by the server, and the server, likewise, enables sending of an RPK instead of an X.509 certificate chain.
4) Type Confusion (CVE-ID: CVE-2024-6119)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a type confusion error when performing certificate name checks. A remote attacker can supply a specially crafted X.509 certificate to the server, trigger a type confusion error and perform a denial of service (DoS) attack.
5) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-2727)
The vulnerability allows a remote user to bypass implemented security restrictions.
The vulnerability exists due to improperly imposed security restrictions. A remote user can launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers.
Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers.
6) Security features bypass (CVE-ID: CVE-2024-35195)
The vulnerability allows a local user to compromise the target system.
The vulnerability exists due to the session object does not verify requests after making first request with verify=False. A local administrator can bypass authentication.
7) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-2728)
The vulnerability allows a remote user to bypass implemented security restrictions.
The vulnerability exists due to improperly imposed security restrictions. A remote user can launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers.Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with ephemeral containers.
8) Resource exhaustion (CVE-ID: CVE-2024-28863)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources while parsing a tar file. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
9) Insecure inherited permissions (CVE-ID: CVE-2024-7143)
The vulnerability allows a remote user to escalate privileges within the application.
The vulnerability exists due to the way permissions are assigned on new tasks with RBAC enabled. A remote user can use a specially crafted task that creates new objects. Such objects will be owned by the oldest user with model/domain-level task permissions within the application and executed with privileges of such a user.
10) Improper authorization (CVE-ID: CVE-2024-45337)
The vulnerability allows a remote attacker to gain unauthorized access to the application.
The vulnerability exists due to improper authorization caused by improper usage of the ServerConfig.PublicKeyCallback callback. A remote attacker can bypass authorization in certain cases and gain access to the application.
11) Resource exhaustion (CVE-ID: CVE-2024-45338)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources in several Parse functions. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
12) Information disclosure (CVE-ID: CVE-2024-45336)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the HTTP client will send Authorization header to a third-party domain after a chain of redirects. A remote attacker can gain unauthorized access to credentials.
13) Memory leak (CVE-ID: CVE-2025-22866)
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to a small number of bits of secret scalars are leaked on the ppc64le architecture in crypto/internal/nistec. A local user can gain access to potentially sensitive information.
14) Input validation error (CVE-ID: CVE-2024-45341)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to incorrect handling of URI name constraint in certificate chains. A remote attacker can create a certificate with a URI, which has a IPv6 address with a zone ID, and bypass URI name checks.
The vulnerability affects users of private PKIs which make use of URIs.
15) Resource exhaustion (CVE-ID: CVE-2025-22869)
The vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources within the ssh package when handling clients that complete the key exchange slowly, or not at all. A remote user can trigger resource exhaustion and perform a denial of service (DoS) attack.
16) Incorrect authorization (CVE-ID: CVE-2024-41110)
The vulnerability allows a remote attacker to bypass authorization checks.
The vulnerability exists due to AuthZ zero length regression. A remote user can bypass authentication and gain elevated privileges.
17) Improper neutralization of argument delimiters in a command (CVE-ID: CVE-2025-21613)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to improper input validation when handling URL field in arguments passed to the git-upload-pack command. A remote attacker can trick the victim into passing a specially crafted URL as a flag to the affected command and manipulate arguments for the git-upload-pack command, which can result in information disclosure.
18) Resource exhaustion (CVE-ID: CVE-2025-21614)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when handling responses from a malicious Git server. A remote attacker can trick the victim into connecting to a malicious Git server and perform a denial of service (DoS) attack.
19) Race condition (CVE-ID: CVE-2024-45310)
The vulnerability allows a remote attacker to crate empty files and directories on the host.
The vulnerability exists due to a race condition when handling containers with custom configuration. A remote attacker can trick the victim into running a specially crafted Docker or Kubernetes container, which can be used to share a volume between two containers and then exploit a race with os.MkdirAll to create empty files or directories in arbitrary locations in the host filesystem.
Successful exploitation of the vulnerability may allow an attacker to perform a denial of service attack against the host system.
20) Resource exhaustion (CVE-ID: CVE-2025-27144)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when parsing JWS and JWE input. A remote attacker can pass specially crafted data to the application, trigger resource exhaustion and perform a denial of service (DoS) attack.
21) Resource exhaustion (CVE-ID: CVE-2022-30635)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when calling Decoder.Decode on a message which contains deeply nested structures. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
22) Out-of-bounds write (CVE-ID: CVE-2019-12900)
Remediation
Install update from vendor's website.