SB2025071423 - Multiple vulnerabilities in HPE Telco Network Function Virtualization Orchestrator Software
Published: July 14, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 13 secuirty vulnerabilities.
1) Code Injection (CVE-ID: CVE-2024-12798)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improper input validation in JaninoEventEvaluator extension when handling environment variables. A local user can inject specially crafted data into environment variables and execute arbitrary code with elevated privileges.
2) Input validation error (CVE-ID: CVE-2020-13956)
The vulnerability allows a remote attacker to compromise the affected application.
The vulnerability exists due to insufficient validation of user-supplied input in Apache HttpClient. A remote attacker can pass request URIs to the library as java.net.URI object and force the application to pick the wrong target host for request execution.
3) Improper Authorization (CVE-ID: CVE-2024-38827)
The vulnerability allows a remote attacker to bypass authorization.
The vulnerability exists due to presence of Locale dependent exceptions when using String.toLowerCase() and String.toUpperCase() for string comparison. A remote attacker can bypass authorization rules using specially crafted input.
Note, the vulnerability is related to #VU98795 (CVE-2024-38820).
4) Input validation error (CVE-ID: CVE-2024-38828)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input passed via Spring MVC controller method with @RequestBody byte[] parameter. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
5) Security features bypass (CVE-ID: CVE-2024-38820)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to String.toLowerCase() has some Locale dependent exceptions when handling case insensitive patterns in DataBinder. A remote attacker can bypass implemented security restrictions by passing specially crafted data to the application.
6) Path traversal (CVE-ID: CVE-2024-38819)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences in applications that serve static resources through the functional web frameworks WebMvc.fn or WebFlux.fn. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.
7) XML External Entity injection (CVE-ID: CVE-2024-12801)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to insufficient validation of user-supplied XML input in SaxEventRecorder. A remote attacker can pass a specially crafted configuration XML file to the affected application and view contents of arbitrary files on the system or initiate requests to external systems.
Successful exploitation of the vulnerability may allow an attacker to view contents of arbitrary file on the server or perform network scanning of internal and external infrastructure.
8) Information disclosure (CVE-ID: CVE-2024-38829)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to Locale dependent exceptions when using String.toLowerCase() and String.toUpperCase() against untrusted input. A remote attacker can pass specially crafted data to the application and gain access to sensitive information.
Note, the vulnerability is related to #VU98795 (CVE-2024-38820).
9) Security features bypass (CVE-ID: CVE-2024-56201)
The vulnerability allows a local user to bypass sandbox restrictions.
The vulnerability exists due to improper validation of user-supplied input. A local user with the ability to control both the filename and the contents of a template can bypass sandbox restrictions.
10) Security features bypass (CVE-ID: CVE-2024-56326)
The vulnerability allows a local user to bypass sandbox restrictions.
The vulnerability exists in the way the Jinja sandboxed environment detects calls to str.format. A local user with the ability to control the contents of a template can bypass sandbox restrictions.11) Use-after-free (CVE-ID: CVE-2025-24898)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a use-after-free error within the ssl::select_next_proto() function. A remote attacker can trigger a use-after-free error and crash the server or read arbitrary memory contents.
12) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2024-6827)
The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.
The vulnerability exists due to Gunicorn does not properly validate the value of the 'Transfer-Encoding' header as specified in the RFC standards, which leads to the default fallback method of 'Content-Length,' making it vulnerable to TE.CL request smuggling. A remote attacker can send a specially crafted HTTP request to the server and initiate cache poisoning, data exposure, session manipulation, SSRF, XSS, DoS, data integrity compromise, security bypass, information leakage, and business logic abuse.
13) Improper authorization (CVE-ID: CVE-2024-45337)
The vulnerability allows a remote attacker to gain unauthorized access to the application.
The vulnerability exists due to improper authorization caused by improper usage of the ServerConfig.PublicKeyCallback callback. A remote attacker can bypass authorization in certain cases and gain access to the application.
Remediation
Install update from vendor's website.