SB2025082055 - Multiple vulnerabilities in IBM DevOps Code ClearCase 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025082055

SB2025082055 - Multiple vulnerabilities in IBM DevOps Code ClearCase

Published: August 20, 2025

Security Bulletin ID SB2025082055
Severity
Medium
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 50% Low 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 secuirty vulnerabilities.


1) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2024-43204)

The disclosed vulnerability allows a remote attacker to perform SSRF attacks.

The vulnerability exists due to insufficient validation of user-supplied input in mod_proxy . A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.

Note, the vulnerability exploitation requires an unlikely configuration where mod_headers is configured to modify the Content-Type request or response header with a value provided in the HTTP request.


2) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2024-43394)

The disclosed vulnerability allows a remote attacker to perform SSRF attacks.

The vulnerability exists due to insufficient validation of user-supplied input when handling UNC paths on Windows. A remote attacker can trick the application into initiating requests to arbitrary systems and potentially leak NTLM hashes to a malicious server via mod_rewrite or apache expressions that pass unvalidated request input.

Note, the vulnerability affects Windows installations only. 



3) HTTP response splitting (CVE-ID: CVE-2024-42516)

The vulnerability allows a remote attacker to perform HTTP splitting attacks.

The vulnerability exists due to software does not correctly process CRLF character sequences. A remote attacker with ability to manipulate the Content-Type response headers of applications hosted or proxied by the server can send specially crafted request containing CRLF sequence and make the application to send a split HTTP response.

Successful exploitation of the vulnerability may allow an attacker perform cache poisoning attack.

Note, this vulnerability exists due a missing fix for #VU88151 (CVE-2023-38709).


4) Expected behavior violation (CVE-ID: CVE-2025-54090)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to an error in code that causes the "RewriteCond expr" to be always "true". A remote attacker can bypass implemented security restrictions that rely on regular expressions. 


Remediation

Install update from vendor's website.

References