SB2025071708 - Multiple vulnerabilities in IBM Business Automation Insights 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025071708

SB2025071708 - Multiple vulnerabilities in IBM Business Automation Insights

Published: July 17, 2025 Updated: August 29, 2025

Security Bulletin ID SB2025071708
Severity
Critical
Patch available
YES
Number of vulnerabilities 14
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Critical 7% High 21% Medium 36% Low 36%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 14 secuirty vulnerabilities.


1) Heap-based buffer overflow (CVE-ID: CVE-2023-1916)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error within the extractImageSection() function in tools/tiffcrop.c. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and perform a denial of service (DoS) attack.


2) Inefficient regular expression complexity (CVE-ID: CVE-2025-27789)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing untrusted input with a regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.


3) Out-of-bounds write (CVE-ID: CVE-2025-27363)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted input. A remote attacker can pass a specially crafted font to the application that is using an affected version of the library, trigger an out-of-bounds write and execute arbitrary code on the target system.


4) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2025-27152)

The disclosed vulnerability allows a remote attacker to perform SSRF attacks.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.

Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.


5) Out-of-bounds write (CVE-ID: CVE-2023-52355)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted input within the TIFFRasterScanlineSize64() API. A remote attacker can pass a specially crafted TIFF file to the application, trigger an out-of-bounds write and execute arbitrary code on the target system.


6) Input validation error (CVE-ID: CVE-2023-24607)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in the Qt SQL ODBC driver plugin. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.


7) Resource management error (CVE-ID: CVE-2023-24056)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to variable duplication in libpkgconf/tuple.c:pkgconf_tuple_parse, which may cause unbounded string expansion. A remote attacker can trick the victim to open a specially crafted .pc file containing a few hundred bytes that can expand to one billion bytes, resulting in a denial of service condition.


8) Heap-based buffer overflow (CVE-ID: CVE-2022-3570)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in tiffcrop.c utility in libtiff when processing TIFF files. A remote attacker can pass specially crafted file to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


9) Heap-based buffer overflow (CVE-ID: CVE-2022-1354)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the TIFFReadRawDataStriped() function in tiffinfo.c. A remote attacker can pass specially crafted TIFF file to the application that is using the affected library, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


10) Out-of-bounds write (CVE-ID: CVE-2021-38593)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error when rendering SVG file within in QOutlineMapper::convertPath. A remote attacker can create a specially crafted file, trick the victim into opening it using the affected software, trigger out-of-bounds write and crash the application.


11) NULL pointer dereference (CVE-ID: CVE-2020-35538)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in the jcopy_sample_rows() function. A remote attacker can pass specially crafted input to the affected application and perform a denial of service (DoS) attack.


12) Insecure Temporary File (CVE-ID: CVE-2020-15250)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to the application is using the test rule TemporaryFolder that stores sensitive information in temporary files in the system temporary directory, accessible by other system users. A local user can read temporary files and obtain sensitive information, related to the application.


13) Out-of-bounds read (CVE-ID: CVE-2019-11038)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in the gdImageCreateFromXbm() function in the GD Graphics Library (aka LibGD). A remote attacker can create a specially crafted image, pass it to the affected application, trigger out-of-bounds read error and read contents of memory on the system.




14) Infinite loop (CVE-ID: CVE-2018-5711)

The disclosed vulnerability allows a local unauthenticated attacker to cause DoS condition.

The vulnerability exists  in PHP GD Graphics Library due to insufficient sanitization of user-supplied data. A local attacker can submit a specially crafted GIF, trigger an infinite loop and cause the service to crash.


Remediation

Install update from vendor's website.

References