Security Bulletin: Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation 24.0.0-IF005 and 24.0.1-IF002.

## Summary

In addition to many updates of operating system level packages, the following security vulnerabilities are addressed with IBM Cloud Pak for Business Automation 24.0.0-IF005 and 24.0.1-IF002.

## Vulnerability Details

**CVEID:**CVE-2025-22866
**DESCRIPTION:** Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recovery of the private key when P-256 is used in any well known protocols.
**CVSS Source:** CISA ADP
**CVSS Base score:** 4
**CVSS Vector:**(CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

**CVEID:**CVE-2024-57965
**DESCRIPTION:** In axios before 1.7.8, lib/helpers/isURLSameOrigin.js does not use a URL object when determining an origin, and has a potentially unwanted setAttribute(‘href’,href) call. NOTE: some parties feel that the code change only addresses a warning message from a SAST tool and does not fix a vulnerability.
**CWE:**CWE-346: Origin Validation Error
**CVSS Source:** [email protected]
**CVSS Base score:** 0
**CVSS Vector:**(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:N)

**CVEID:**CVE-2025-22868
**DESCRIPTION:** An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.
**CWE:**CWE-1286: Improper Validation of Syntactic Correctness of Input
**CVSS Source:** CISA ADP
**CVSS Base score:** 7.5
**CVSS Vector:**(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2025-27152
**DESCRIPTION:** axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if ⁠baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios. This issue is fixed in 1.8.2.
**CWE:**CWE-918: Server-Side Request Forgery (SSRF)
**CVSS Source:** IBM
**CVSS Base score:** 7.5
**CVSS Vector:**(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**CVE-2024-45341
**DESCRIPTION:** A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs.
**CVSS Source:** CISA ADP
**CVSS Base score:** 6.1
**CVSS Vector:**(CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

**CVEID:**CVE-2024-45336
**DESCRIPTION:** The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain redirect, however, the sensitive headers would be restored. For example, a chain of redirects from a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization header to b.com/2.
**CVSS Source:** CISA ADP
**CVSS Base score:** 6.1
**CVSS Vector:**(CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

**CVEID:**CVE-2025-26791
**DESCRIPTION:** DOMPurify before 3.2.4 has an incorrect template literal regular expression, sometimes leading to mutation cross-site scripting (mXSS).
**CWE:**CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
**CVSS Source:** [email protected]
**CVSS Base score:** 4.5
**CVSS Vector:**(CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N)

**CVEID:**CVE-2024-45337
**DESCRIPTION:** Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that “A call to this function does not guarantee that the key offered is in fact used to authenticate.” Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/cry…@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.
**CVSS Source:** CISA
**CVSS Base score:** 9.1
**CVSS Vector:**(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)

**CVEID:**CVE-2023-29383
**DESCRIPTION:** In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that “cat /etc/passwd” shows a rogue user account.
**CWE:**CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’)
**CVSS Source:** IBM X-Force
**CVSS Base score:** 3.3
**CVSS Vector:**(CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)

**CVEID:**CVE-2023-7008
**DESCRIPTION:** systemd is vulnerable to a man-in-the-middle attack, caused by a flaw with able to accept records of DNSSEC-signed domains even when they have no signature. An attacker could exploit this vulnerability to launch a man-in-the-middle attack and gain access to the communication channel between endpoints to manipulate records.
**CWE:**CWE-300: Channel Accessible by Non-Endpoint
**CVSS Source:** IBM X-Force
**CVSS Base score:** 5.9
**CVSS Vector:**(CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)

**CVEID:**CVE-2022-40735
**DESCRIPTION:** Diffie-Hellman key agreement protocol is vulnerable to a denial of service, caused by the use of long exponents that arguably make certain calculations unnecessarily expensive. By sending specially-crafted network traffic, a remote attacker could exploit this vulnerability to cause a denial of service.
**CWE:**CWE-400: Uncontrolled Resource Consumption
**CVSS Source:** IBM X-Force
**CVSS Base score:** 7.5
**CVSS Vector:**(CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2023-5678
**DESCRIPTION:** Openssl is vulnerable to a denial of service, caused by a flaw when using DH_generate_key() function to generate an X9.42 DH key. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
**CWE:**CWE-606: Unchecked Input for Loop Condition
**CVSS Source:** IBM X-Force
**CVSS Base score:** 3.7
**CVSS Vector:**(CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

**CVEID:**CVE-2023-6129
**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a flaw in the POLY1305 MAC (message authentication code) implementation. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
**CWE:**CWE-440: Expected Behavior Violation
**CVSS Source:** IBM X-Force
**CVSS Base score:** 5.9
**CVSS Vector:**(CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2024-0727
**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by improper input validation. By persuading a victim to open a specially crafted PKCS12 file, a remote attacker could exploit this vulnerability to cause the application to crash.
**CWE:**CWE-476: NULL Pointer Dereference
**CVSS Source:** IBM X-Force
**CVSS Base score:** 3.1
**CVSS Vector:**(CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)

**CVEID:**CVE-2024-6119
**DESCRIPTION:** Issue summary: Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address resulting in abnormal termination of the application process. Impact summary: Abnormal termination of an application can a cause a denial of service. Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address when comparing the expected name with an `otherName` subject alternative name of an X.509 certificate. This may result in an exception that terminates the application program. Note that basic certificate chain validation (signatures, dates, …) is not affected, the denial of service can occur only when the application also specifies an expected DNS name, Email address or IP address. TLS servers rarely solicit client certificates, and even when they do, they generally don’t perform a name check against a reference identifier (expected identity), but rather extract the presented identity after checking the certificate chain. So TLS servers are generally not affected and the severity of the issue is Moderate. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.
**CWE:**CWE-843: Access of Resource Using Incompatible Type (‘Type Confusion’)
**CVSS Source:** CISA ADP
**CVSS Base score:** 7.5
**CVSS Vector:**(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**CVE-2024-12798
**DESCRIPTION:** ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core upto including version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 in Java applications allows attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution. Malicious logback configuration files can allow the attacker to execute arbitrary code using the JaninoEventEvaluator extension. A successful attack requires the user to have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privilege.
**CWE:**CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement (‘Expression Language Injection’)
**CVSS Source:** Switzerland Government Common Vulnerability Program
**CVSS Base score:** 5.9
**CVSS Vector:**(CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L)

**CVEID:**CVE-2024-45338
**DESCRIPTION:** An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.
**CWE:**CWE-1333: Inefficient Regular Expression Complexity
**CVSS Source:** CISA ADP
**CVSS Base score:** 5.3
**CVSS Vector:**(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

**CVEID:**CVE-2018-12699
**DESCRIPTION:** finish_stab in stabs.c in GNU Binutils 2.30 allows attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact, as demonstrated by an out-of-bounds write of 8 bytes. This can occur during execution of objdump.
**CWE:**CWE-787: Out-of-bounds Write
**CVSS Source:** IBM X-Force
**CVSS Base score:** 6.6
**CVSS Vector:**(CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H)

**CVEID:**CVE-2023-51775
**DESCRIPTION:** jose4j is vulnerable to a denial of service, caused by improper input validation. By sending a specially crafted p2c value, a remote attacker could exploit this vulnerability to cause a denial of service condition.
**CWE:**CWE-400: Uncontrolled Resource Consumption
**CVSS Source:** IBM X-Force
**CVSS Base score:** 7.5
**CVSS Vector:**(CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2023-52428
**DESCRIPTION:** Connect2id Nimbus-JOSE-JWT is vulnerable to a denial of service, caused by improper validation of user requests by the PasswordBasedDecrypter (PBKDF2) component. By sending a specially crafted request using a large JWE p2c header, a remote attacker could exploit this vulnerability to cause a denial of service.
**CWE:**CWE-770: Allocation of Resources Without Limits or Throttling
**CVSS Source:** IBM X-Force
**CVSS Base score:** 7.5
**CVSS Vector:**(CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2024-0450
**DESCRIPTION:** An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.
**CWE:**CWE-405: Asymmetric Resource Consumption (Amplification)
**CVSS Source:** IBM X-Force
**CVSS Base score:** 5.5
**CVSS Vector:**(CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2024-10041
**DESCRIPTION:** A vulnerability was found in PAM. The secret information is stored in memory, where the attacker can trigger the victim program to execute by sending characters to its standard input (stdin). As this occurs, the attacker can train the branch predictor to execute an ROP chain speculatively. This flaw could result in leaked passwords, such as those found in /etc/shadow while performing authentications.
**CWE:**CWE-922: Insecure Storage of Sensitive Information
**CVSS Source:** CVE.org
**CVSS Base score:** 4.7
**CVSS Vector:**(CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**CVE-2024-10963
**DESCRIPTION:** A flaw was found in pam_access, where certain rules in its configuration file are mistakenly treated as hostnames. This vulnerability allows attackers to trick the system by pretending to be a trusted hostname, gaining unauthorized access. This issue poses a risk for systems that rely on this feature to control who can access certain services or terminals.
**CWE:**CWE-287: Improper Authentication
**CVSS Source:** CVE.org
**CVSS Base score:** 6.5
**CVSS Vector:**(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N)

**CVEID:**CVE-2024-12801
**DESCRIPTION:** Server-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH logback version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 on the Java platform, allows an attacker to forge requests by compromising logback configuration files in XML. The attacks involves the modification of DOCTYPE declaration in XML configuration files.
**CWE:**CWE-918: Server-Side Request Forgery (SSRF)
**CVSS Source:** Switzerland Government Common Vulnerability Program
**CVSS Base score:** 2.4
**CVSS Vector:**(CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:L/VI:N/VA:L/SC:H/SI:H/SA:H)

**CVEID:**CVE-2024-21538
**DESCRIPTION:** Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
**CWE:**CWE-1333: Inefficient Regular Expression Complexity
**CVSS Source:** CVE.org
**CVSS Base score:** 7.5
**CVSS Vector:**(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2024-23944
**DESCRIPTION:** Information disclosure in persistent watchers handling in Apache ZooKeeper due to missing ACL check. It allows an attacker to monitor child znodes by attaching a persistent watcher (addWatch command) to a parent which the attacker has already access to. ZooKeeper server doesn’t do ACL check when the persistent watcher is triggered and as a consequence, the full path of znodes that a watch event gets triggered upon is exposed to the owner of the watcher. It’s important to note that only the path is exposed by this vulnerability, not the data of znode, but since znode path can contain sensitive information like user name or login ID, this issue is potentially critical. Users are recommended to upgrade to version 3.9.2, 3.8.4 which fixes the issue.
**CWE:**CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
**CVSS Source:** IBM X-Force
**CVSS Base score:** 4.3
**CVSS Vector:**(CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

**CVEID:**CVE-2024-47535
**DESCRIPTION:** Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115.
**CWE:**CWE-400: Uncontrolled Resource Consumption
**CVSS Source:** CVE.org
**CVSS Base score:** 5.5
**CVSS Vector:**(CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2024-47554
**DESCRIPTION:** Uncontrolled Resource Consumption vulnerability in Apache Commons IO. The org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input. This issue affects Apache Commons IO: from 2.0 before 2.14.0. Users are recommended to upgrade to version 2.14.0 or later, which fixes the issue.
**CWE:**CWE-400: Uncontrolled Resource Consumption
**CVSS Source:** IBM X-Force
**CVSS Base score:** 5.3
**CVSS Vector:**(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

**CVEID:**CVE-2024-6763
**DESCRIPTION:** Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing. The HttpURI class does insufficient validation on the authority segment of a URI. However the behaviour of HttpURI differs from the common browsers in how it handles a URI that would be considered invalid if fully validated against the RRC. Specifically HttpURI and the browser may differ on the value of the host extracted from an invalid URI and thus a combination of Jetty and a vulnerable browser may be vulnerable to a open redirect attack or to a SSRF attack if the URI is used after passing validation checks.
**CWE:**CWE-1286: Improper Validation of Syntactic Correctness of Input
**CVSS Source:** GitHub
**CVSS Base score:** 3.7
**CVSS Vector:**(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

**CVEID:**CVE-2024-7254
**DESCRIPTION:** Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.
**CWE:**CWE-20: Improper Input Validation
**CVSS Source:** [email protected]
**CVSS Base score:** 8.7
**CVSS Vector:**(CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X)

**CVEID:**CVE-2024-8184
**DESCRIPTION:** Eclipse Jetty is vulnerable to a denial of service, caused by an out of memory flaw in the ThreadLimitHandler.getRemote() function. By sending specially crafted requests, a remote attacker could exploit this vulnerability to exhaust the server memory and results in a denial of service condition.
**CWE:**CWE-400: Uncontrolled Resource Consumption
**CVSS Source:** GitHub
**CVSS Base score:** 5.9
**CVSS Vector:**(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2025-21613
**DESCRIPTION:** go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. This vulnerability is fixed in 5.13.0.
**CWE:**CWE-88: Improper Neutralization of Argument Delimiters in a Command (‘Argument Injection’)
**CVSS Source:** CISA ADP
**CVSS Base score:** 9.8
**CVSS Vector:**(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**CVE-2025-21614
**DESCRIPTION:** go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability.
**CWE:**CWE-400: Uncontrolled Resource Consumption
**CVSS Source:** [email protected]
**CVSS Base score:** 7.5
**CVSS Vector:**(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2024-12905
**DESCRIPTION:** An Improper Link Resolution Before File Access (“Link Following”) and Improper Limitation of a Pathname to a Restricted Directory (“Path Traversal”). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package. This issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.8.
**CWE:**CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
**CVSS Source:** Seal Security
**CVSS Base score:** 7.5
**CVSS Vector:**(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

**CVEID:**CVE-2024-41747
**DESCRIPTION:** IBM Business Automation Insights could allow an authenticated user to cause a denial of service due to improper API rate limiting.
**CWE:**CWE-770: Allocation of Resources Without Limits or Throttling
**CVSS Source:** IBM X-Force
**CVSS Base score:** 6.5
**CVSS Vector:**(CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2025-22870
**DESCRIPTION:** Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to “*.example.com”, a request to “[::1%25.example.com]:80` will incorrectly match and not be proxied.
**CWE:**CWE-115: Misinterpretation of Input
**CVSS Source:** CISA ADP
**CVSS Base score:** 4.4
**CVSS Vector:**(CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L)

**CVEID:**CVE-2025-1634
**DESCRIPTION:** A flaw was found in the quarkus-resteasy extension, which causes memory leaks when client requests with low timeouts are made. If a client request times out, a buffer is not released correctly, leading to increased memory usage and eventual application crash due to OutOfMemoryError.
**CWE:**CWE-401: Missing Release of Memory after Effective Lifetime
**CVSS Source:** [email protected]
**CVSS Base score:** 7.5
**CVSS Vector:**(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2024-11187
**DESCRIPTION:** It is possible to construct a zone such that some queries to it will generate responses containing numerous records in the Additional section. An attacker sending many such queries can cause either the authoritative server itself or an independent resolver to use disproportionate resources processing the queries. Zones will usually need to have been deliberately crafted to attack this exposure. This issue affects BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.32, 9.20.0 through 9.20.4, 9.21.0 through 9.21.3, 9.11.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.32-S1.
**CWE:**CWE-405: Asymmetric Resource Consumption (Amplification)
**CVSS Source:** [email protected]
**CVSS Base score:** 7.5
**CVSS Vector:**(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2025-22150
**DESCRIPTION:** Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to choose the boundary for a multipart/form-data request. It is known that the output of `Math.random()` can be predicted if several of its generated values are known. If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, an attacker can tamper with the requests going to the backend APIs if certain conditions are met. This is fixed in versions 5.28.5, 6.21.1, and 7.2.3. As a workaround, do not issue multipart requests to attacker controlled servers.
**CWE:**CWE-330: Use of Insufficiently Random Values
**CVSS Source:** [email protected]
**CVSS Base score:** 6.8
**CVSS Vector:**(CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N)

**CVEID:**CVE-2024-35195
**DESCRIPTION:** Psf Requests could allow a local authenticated attacker to bypass security restrictions, caused by an incorrect control flow implementation vulnerability. If the first request in a session is made with verify=False, all subsequent requests to the same host will continue to ignore cert verification. An attacker could exploit this vulnerability to launch further attacks on the system.
**CWE:**CWE-670: Always-Incorrect Control Flow Implementation
**CVSS Source:** IBM X-Force
**CVSS Base score:** 5.6
**CVSS Vector:**(CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N)

**CVEID:**CVE-2024-5187
**DESCRIPTION:** Open Neural Network Exchange (ONNX) could allow a remote attacker to traverse directories on the system, caused by improper archive file validation by the download_model_with_test_data function. An attacker could use a specially crafted archive file containing “dot dot” sequences (/../) to overwrite arbitrary files on the system.
**CWE:**CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
**CVSS Source:** IBM X-Force
**CVSS Base score:** 8.8
**CVSS Vector:**(CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

**CVEID:**CVE-2024-5206
**DESCRIPTION:** scikit-learn could allow a remote authenticated attacker to obtain sensitive information, caused by an unexpected storage of all tokens present in the training data within the stop_words_ attribute. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain passwords or keys information, and use this information to launch further attacks against the affected system.
**CWE:**CWE-921: Storage of Sensitive Data in a Mechanism without Access Control
**CVSS Source:** IBM X-Force
**CVSS Base score:** 5.3
**CVSS Vector:**(CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**CVE-2024-37891
**DESCRIPTION:** urllib3 could allow a remote authenticated attacker to obtain sensitive information, caused by the failure to strip the Proxy-Authorization header during cross-origin redirects. By sending a specially crafted HTTP request, an attacker could exploit this vulnerability to obtain sensitive information.
**CWE:**CWE-669: Incorrect Resource Transfer Between Spheres
**CVSS Source:** IBM X-Force
**CVSS Base score:** 4.4
**CVSS Vector:**(CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**CVE-2024-39705
**DESCRIPTION:** Natural Language Toolkit (NLTK) could allow a remote attacker to execute arbitrary code on the system, caused by a flaw when an untrusted packages have pickled Python code, and the integrated data package download functionality is used. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
**CWE:**CWE-502: Deserialization of Untrusted Data
**CVSS Source:** IBM X-Force
**CVSS Base score:** 9.8
**CVSS Vector:**(CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**CVE-2024-3651
**DESCRIPTION:** idna could allow a local user to cause a denial of service using a specially crafted argument to the idna.encode() function and consume system resources.
**CWE:**CWE-400: Uncontrolled Resource Consumption
**CVSS Source:** IBM X-Force
**CVSS Base score:** 6.2
**CVSS Vector:**(CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2024-39689
**DESCRIPTION:** Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.5.30 and prior to 2024.7.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.7.04 removes root certificates from `GLOBALTRUST` from the root store. These are in the process of being removed from Mozilla’s trust store. `GLOBALTRUST`’s root certificates are being removed pursuant to an investigation which identified “long-running and unresolved compliance issues.”
**CWE:**CWE-345: Insufficient Verification of Data Authenticity
**CVSS Source:** NVD
**CVSS Base score:** 7.5
**CVSS Vector:**(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

**CVEID:**CVE-2024-6345
**DESCRIPTION:** pypa/setuptools could allow a remote attacker to execute arbitrary code on the system, caused by an error in the package_index module. By persuading a victim to click a specially crafted URL, an attacker could exploit this vulnerability using its download functions to inject and execute arbitrary code on the system.
**CWE:**CWE-94: Improper Control of Generation of Code (‘Code Injection’)
**CVSS Source:** IBM X-Force
**CVSS Base score:** 8.8
**CVSS Vector:**(CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

**CVEID:**CVE-2024-49767
**DESCRIPTION:** Werkzeug is a Web Server Gateway Interface web application library. Applications using `werkzeug.formparser.MultiPartParser` corresponding to a version of Werkzeug prior to 3.0.6 to parse `multipart/form-data` requests (e.g. all flask applications) are vulnerable to a relatively simple but effective resource exhaustion (denial of service) attack. A specifically crafted form submission request can cause the parser to allocate and block 3 to 8 times the upload size in main memory. There is no upper limit; a single upload at 1 Gbit/s can exhaust 32 GB of RAM in less than 60 seconds. Werkzeug version 3.0.6 fixes this issue.
**CWE:**CWE-400: Uncontrolled Resource Consumption
**CVSS Source:** CVE.org
**CVSS Base score:** 6.9
**CVSS Vector:**(CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N)

**CVEID:**CVE-2024-49766
**DESCRIPTION:** Werkzeug is a Web Server Gateway Interface web application library. On Python < 3.11 on Windows, os.path.isabs() does not catch UNC paths like //server/share. Werkzeug's safe_join() relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable. Werkzeug version 3.0.6 contains a patch.
**CWE:**CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
**CVSS Source:** [email protected]
**CVSS Base score:** 6.3
**CVSS Vector:**(CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X)

**CVEID:**CVE-2025-22869
**DESCRIPTION:** SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.
**CWE:**CWE-770: Allocation of Resources Without Limits or Throttling
**CVSS Source:** CISA ADP
**CVSS Base score:** 7.5
**CVSS Vector:**(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2014-9390
**DESCRIPTION:** Git, when used as a client on a case-insensitive filesystem, could allow a remote attacker to execute arbitrary commands on the system. By overwriting a malicious .git/config file when cloning or checking out a repository, an attacker could exploit this vulnerability to execute arbitrary commands on the system with the privileges of the user running the git client.
**CWE:**CWE-20: Improper Input Validation
**CVSS Source:** IBM X-Force
**CVSS Base score:** 4
**CVSS Vector:**(AV:N/AC:H/Au:N/C:P/I:P/A:N)

**CVEID:**CVE-2023-4759
**DESCRIPTION:** Eclipse JGit could allow a remote attacker to execute arbitrary code on the system, caused by improper handling of case insensitive filesystems. By using a specially crafted symlink, an attacker could exploit this vulnerability to execute arbitrary code on the system.
**CWE:**CWE-59: Improper Link Resolution Before File Access (‘Link Following’)
**CVSS Source:** IBM X-Force
**CVSS Base score:** 8.8
**CVSS Vector:**(CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

**CVEID:**CVE-2024-53382
**DESCRIPTION:** Prism (aka PrismJS) through 1.29.0 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup can be shadowed by attacker-injected HTML elements.
**CWE:**CWE-94: Improper Control of Generation of Code (‘Code Injection’)
**CVSS Source:** [email protected]
**CVSS Base score:** 4.9
**CVSS Vector:**(CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N)

**CVEID:**CVE-2024-52798
**DESCRIPTION:** path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. The regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of path-to-regexp. Upgrade to 0.1.12. This vulnerability exists because of an incomplete fix for CVE-2024-45296.
**CWE:**CWE-1333: Inefficient Regular Expression Complexity
**CVSS Source:** [email protected]
**CVSS Base score:** 7.7
**CVSS Vector:**(CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X)

**CVEID:**CVE-2024-4067
**DESCRIPTION:** Node.js micromatch module is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in micromatch.braces() in index.js. By sending a specially crafted payload, a remote attacker could exploit this vulnerability to increase the consumption time until the application hangs or slows down.
**CWE:**CWE-1333: Inefficient Regular Expression Complexity
**CVSS Source:** CVE.org
**CVSS Base score:** 5.3
**CVSS Vector:**(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

**CVEID:**CVE-2024-39338
**DESCRIPTION:** Axios is vulnerable to server-side request forgery, caused by a flaw with requests for path relative URLs get processed as protocol relative URLs. By sending a specially crafted request, an attacker could exploit this vulnerability to conduct SSRF attack.
**CWE:**CWE-918: Server-Side Request Forgery (SSRF)
**CVSS Source:** IBM X-Force
**CVSS Base score:** 7.5
**CVSS Vector:**(CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**CVE-2024-45296
**DESCRIPTION:** path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.
**CWE:**CWE-1333: Inefficient Regular Expression Complexity
**CVSS Source:** CVE.org
**CVSS Base score:** 7.5
**CVSS Vector:**(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2024-43796
**DESCRIPTION:** expressjs express is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
**CWE:**CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
**CVSS Source:** IBM X-Force
**CVSS Base score:** 5
**CVSS Vector:**(CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L)

**CVEID:**CVE-2024-43799
**DESCRIPTION:** pillarjs send is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
**CWE:**CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
**CVSS Source:** IBM X-Force
**CVSS Base score:** 5
**CVSS Vector:**(CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L)

**CVEID:**CVE-2024-43800
**DESCRIPTION:** expressjs serve-static is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
**CWE:**CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
**CVSS Source:** IBM X-Force
**CVSS Base score:** 5
**CVSS Vector:**(CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L)

**CVEID:**CVE-2024-45590
**DESCRIPTION:** expressjs body-parser is vulnerable to a denial of service, caused by a flaw when url encoding is enabled. By sending a specially crafted payload, a remote attacker could exploit this vulnerability to cause a denial of service condition.
**CWE:**CWE-405: Asymmetric Resource Consumption (Amplification)
**CVSS Source:** IBM X-Force
**CVSS Base score:** 7.5
**CVSS Vector:**(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2024-47764
**DESCRIPTION:** jshttp cookie could allow a remote attacker to bypass security restrictions, caused by improper input validation by the cookie name, path, and domain. By sending a specially crafted request, an attacker could exploit this vulnerability to alter other fields of the cookie.
**CWE:**CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’)
**CVSS Source:** IBM X-Force
**CVSS Base score:** 6.5
**CVSS Vector:**(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

**CVEID:**CVE-2024-47875
**DESCRIPTION:** DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMpurify was vulnerable to nesting-based mXSS. This vulnerability is fixed in 2.5.0 and 3.1.3.
**CWE:**CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
**CVSS Source:** GitHub
**CVSS Base score:** 10
**CVSS Vector:**(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H)

**CVEID:**CVE-2024-45801
**DESCRIPTION:** DOMPurify could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw in depth check. By adding or modifying properties of Object.prototype using a __proto__ or constructor payload, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.
**CWE:**CWE-1333: Inefficient Regular Expression Complexity
**CVSS Source:** CVE.org
**CVSS Base score:** 7.3
**CVSS Vector:**(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

**CVEID:**CVE-2024-21536
**DESCRIPTION:** http-proxy-middleware is vulnerable to a denial of service, caused by an UnhandledPromiseRejection error thrown by micromatch. By sending specially crafted requests to certain paths, a remote attacker could exploit this vulnerability to kill the Node.js process and crash the server.
**CWE:**CWE-400: Uncontrolled Resource Consumption
**CVSS Source:** IBM X-Force
**CVSS Base score:** 7.5
**CVSS Vector:**(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2024-55565
**DESCRIPTION:** nanoid (aka Nano ID) before 5.0.9 mishandles non-integer values. 3.3.8 is also a fixed version.
**CWE:**CWE-835: Loop with Unreachable Exit Condition (‘Infinite Loop’)
**CVSS Source:** CISA ADP
**CVSS Base score:** 4.3
**CVSS Vector:**(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)

**CVEID:**CVE-2025-21502
**DESCRIPTION:** Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u431-perf, 11.0.25, 17.0.13, 21.0.5, 23.0.1; Oracle GraalVM for JDK: 17.0.13, 21.0.5, 23.0.1; Oracle GraalVM Enterprise Edition: 20.3.16 and 21.3.12. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).
**CWE:**CWE-863: Incorrect Authorization
**CVSS Source:** [email protected]
**CVSS Base score:** 4.8
**CVSS Vector:**(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)

**CVEID:**CVE-2023-50314
**DESCRIPTION:** IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.8 could allow an attacker with access to the network to conduct spoofing attacks. An attacker could exploit this vulnerability using a certificate issued by a trusted authority to obtain sensitive information. IBM X-Force ID: 274713.
**CWE:**CWE-295: Improper Certificate Validation
**CVSS Source:** IBM X-Force
**CVSS Base score:** 5.3
**CVSS Vector:**(CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**CVE-2023-44487
**DESCRIPTION:** The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
**CWE:**CWE-400: Uncontrolled Resource Consumption
**CVSS Source:** IBM X-Force
**CVSS Base score:** 7.5
**CVSS Vector:**(CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2023-36478
**DESCRIPTION:** Eclipse Jetty is vulnerable to a denial of service, caused by an integer overflow and buffer allocation in MetaDataBuilder.checkSize. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
**CWE:**CWE-190: Integer Overflow or Wraparound
**CVSS Source:** IBM X-Force
**CVSS Base score:** 7.5
**CVSS Vector:**(CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2018-18700
**DESCRIPTION:** GNU Binutils is vulnerable to a denial of service, caused by a stack consumption in cp-demangle.c in GNU libiberty. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.
**CWE:**CWE-835: Loop with Unreachable Exit Condition (‘Infinite Loop’)
**CVSS Source:** IBM X-Force
**CVSS Base score:** 3.3
**CVSS Vector:**(CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

**CVEID:**CVE-2019-12972
**DESCRIPTION:** GNU binutils is vulnerable to a denial of service, caused by a heap-based buffer over-read in the bfd_doprnt in bfd.c of libbfd. By using a specially-crafted file, a local attacker could exploit this vulnerability to cause the application to crash.
**CWE:**CWE-125: Out-of-bounds Read
**CVSS Source:** IBM X-Force
**CVSS Base score:** 4
**CVSS Vector:**(CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

**CVEID:**CVE-2019-16163
**DESCRIPTION:** oniguruma is vulnerable to a denial of service, caused by stack exhaustion in regcomp.c due to recursion in regparse.c. By persuading a victim to compile a specially crafted file and execute its object code, a remote attacker could exploit this vulnerability to cause the application to crash.
**CWE:**CWE-674: Uncontrolled Recursion
**CVSS Source:** IBM X-Force
**CVSS Base score:** 3.3
**CVSS Vector:**(CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

**CVEID:**CVE-2020-15250
**DESCRIPTION:** JUnit4 could allow a local attacker to obtain sensitive information, caused by a flaw in test rule TemporaryFolder. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information.
**CWE:**CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
**CVSS Source:** IBM X-Force
**CVSS Base score:** 4
**CVSS Vector:**(CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

**CVEID:**CVE-2020-35493
**DESCRIPTION:** GNU Binutils is vulnerable a heap-based buffer overflow, caused by improper bounds checking in bfd_pef_parse_function_stubs in bfd/pef.c. By persuading a victim to open a specially crafted file, a remote attacker could overflow a buffer to cause an out-of-bounds read, leading to a denial of service.
**CWE:**CWE-20: Improper Input Validation
**CVSS Source:** IBM X-Force
**CVSS Base score:** 5.5
**CVSS Vector:**(CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2020-35494
**DESCRIPTION:** GNU Binutils is vulnerable to a denial of service, caused by the usage of uninitialized memory in /opcodes/tic4x-dis.c in the Binary File Descriptor (BFD) library. By persuading a victim to open a specially-crafted file with corrupt dwarf1 debug information, a remote attacker could cause a denial of service.
**CWE:**CWE-908: Use of Uninitialized Resource
**CVSS Source:** IBM X-Force
**CVSS Base score:** 6.1
**CVSS Vector:**(CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H)

**CVEID:**CVE-2020-35495
**DESCRIPTION:** GNU Binutils is vulnerable to a denial of service, caused by NULL pointer dereference in the bfd_pef_parse_symbols function in bfd/pef.c in the Binary File Descriptor (BFD) library. By persuading a victim to open a specially-crafted file with corrupt dwarf1 debug information, a remote attacker could cause a denial of service.
**CWE:**CWE-476: NULL Pointer Dereference
**CVSS Source:** IBM X-Force
**CVSS Base score:** 5.5
**CVSS Vector:**(CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2020-35496
**DESCRIPTION:** GNU Binutils is vulnerable to a denial of service, caused by NULL pointer dereference in the bfd_pef_scan_start_address() of bfd/pef.c. in the Binary File Descriptor (BFD) library. By persuading a victim to open a specially-crafted file with corrupt dwarf1 debug information, a remote attacker could cause a denial of service.
**CWE:**CWE-476: NULL Pointer Dereference
**CVSS Source:** IBM X-Force
**CVSS Base score:** 5.5
**CVSS Vector:**(CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2020-35507
**DESCRIPTION:** GNU Binutils is vulnerable to a denial of service, caused by NULL pointer dereference in the bfd_pef_parse_function_stubs of bfd/pef.c in the Binary File Descriptor (BFD) library. By persuading a victim to open a specially-crafted file with corrupt dwarf1 debug information, a remote attacker could cause a denial of service.
**CWE:**CWE-476: NULL Pointer Dereference
**CVSS Source:** IBM X-Force
**CVSS Base score:** 5.5
**CVSS Vector:**(CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2023-1972
**DESCRIPTION:** A potential heap based buffer overflow was found in _bfd_elf_slurp_version_tables() in bfd/elf.c. This may lead to loss of availability.
**CWE:**CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
**CVSS Source:** IBM X-Force
**CVSS Base score:** 2.5
**CVSS Vector:**(CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)

**CVEID:**CVE-2023-25584
**DESCRIPTION:** GNU binutils is vulnerable to a denial of service, caused by an out-of-bounds read flaw in the parse_module function in bfd/vms-alpha.c. By persuading a victim to open a specially crafted content, a remote attacker could exploit this vulnerability to cause a crash or access sensitive information.
**CWE:**CWE-125: Out-of-bounds Read
**CVSS Source:** IBM X-Force
**CVSS Base score:** 7.1
**CVSS Vector:**(CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H)

**CVEID:**CVE-2023-25585
**DESCRIPTION:** GNU binutils is vulnerable to a denial of service, caused by not properly initialized the file_table field of struct module and the_bfd field of asymbol. By persuading a victim to open a specially crafted content, a remote attacker could exploit this vulnerability to cause a crash.
**CWE:**CWE-457: Use of Uninitialized Variable
**CVSS Source:** IBM X-Force
**CVSS Base score:** 4.7
**CVSS Vector:**(CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2023-25588
**DESCRIPTION:** GNU binutils is vulnerable to a denial of service, caused by not properly initialized the field the_bfd of asymbol in the bfd_mach_o_get_synthetic_symtab function. By persuading a victim to open a specially crafted content, a remote attacker could exploit this vulnerability to cause a crash or access sensitive information.
**CWE:**CWE-457: Use of Uninitialized Variable
**CVSS Source:** IBM X-Force
**CVSS Base score:** 4.7
**CVSS Vector:**(CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2024-21217
**DESCRIPTION:** Vulnerability in Java SE (component: Serialization). Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS).
**CWE:**CWE-502: Deserialization of Untrusted Data
**CVSS Source:** Oracle
**CVSS Base score:** 3.7
**CVSS Vector:**(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

**CVEID:**CVE-2024-21235
**DESCRIPTION:** Vulnerability in Java SE (component: Hotspot). Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to accessible data as well as unauthorized read access to a subset of accessible data.
**CVSS Source:** Oracle
**CVSS Base score:** 4.8
**CVSS Vector:**(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)

**CVEID:**CVE-2024-29018
**DESCRIPTION:** Moby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and other distributions of container tooling or runtimes. Moby’s networking implementation allows for many networks, each with their own IP address range and gateway, to be defined. This feature is frequently referred to as custom networks, as each network can have a different driver, set of parameters and thus behaviors. When creating a network, the `–internal` flag is used to designate a network as _internal_. The `internal` attribute in a docker-compose.yml file may also be used to mark a network _internal_, and other API clients may specify the `internal` parameter as well. When containers with networking are created, they are assigned unique network interfaces and IP addresses. The host serves as a router for non-internal networks, with a gateway IP that provides SNAT/DNAT to/from container IPs. Containers on an internal network may communicate between each other, but are precluded from communicating with any networks the host has access to (LAN or WAN) as no default route is configured, and firewall rules are set up to drop all outgoing traffic. Communication with the gateway IP address (and thus appropriately configured host services) is possible, and the host may communicate with any container IP directly. In addition to configuring the Linux kernel’s various networking features to enable container networking, `dockerd` directly provides some services to container networks. Principal among these is serving as a resolver, enabling service discovery, and resolution of names from an upstream resolver. When a DNS request for a name that does not correspond to a container is received, the request is forwarded to the configured upstream resolver. This request is made from the container’s network namespace: the level of access and routing of traffic is the same as if the request was made by the container itself. As a consequence of this design, containers solely attached to an internal network will be unable to resolve names using the upstream resolver, as the container itself is unable to communicate with that nameserver. Only the names of containers also attached to the internal network are able to be resolved. Many systems run a local forwarding DNS resolver. As the host and any containers have separate loopback devices, a consequence of the design described above is that containers are unable to resolve names from the host’s configured resolver, as they cannot reach these addresses on the host loopback device. To bridge this gap, and to allow containers to properly resolve names even when a local forwarding resolver is used on a loopback address, `dockerd` detects this scenario and instead forward DNS requests from the host namework namespace. The loopback resolver then forwards the requests to its configured upstream resolvers, as expected. Because `dockerd` forwards DNS requests to the host loopback device, bypassing the container network namespace’s normal routing semantics entirely, internal networks can unexpectedly forward DNS requests to an external nameserver. By registering a domain for which they control the authoritative nameservers, an attacker could arrange for a compromised container to exfiltrate data by encoding it in DNS queries that will eventually be answered by their nameservers. Docker Desktop is not affected, as Docker Desktop always runs an internal resolver on a RFC 1918 address. Moby releases 26.0.0, 25.0.4, and 23.0.11 are patched to prevent forwarding any DNS requests from internal networks. As a workaround, run containers intended to be solely attached to internal networks with a custom upstream address, which will force all upstream DNS queries to be resolved from the container’s network namespace.
**CWE:**CWE-669: Incorrect Resource Transfer Between Spheres
**CVSS Source:** NVD
**CVSS Base score:** 7.5
**CVSS Vector:**(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**CVE-2024-41110
**DESCRIPTION:** Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low. Using a specially-crafted API request, an Engine API client could make the daemon forward the request or response to an authorization plugin without the body. In certain circumstances, the authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it. A security issue was discovered In 2018, where an attacker could bypass AuthZ plugins using a specially crafted API request. This could lead to unauthorized actions, including privilege escalation. Although this issue was fixed in Docker Engine v18.09.1 in January 2019, the fix was not carried forward to later major versions, resulting in a regression. Anyone who depends on authorization plugins that introspect the request and/or response body to make access control decisions is potentially impacted. Docker EE v19.03.x and all versions of Mirantis Container Runtime are not vulnerable. docker-ce v27.1.1 containes patches to fix the vulnerability. Patches have also been merged into the master, 19.03, 20.0, 23.0, 24.0, 25.0, 26.0, and 26.1 release branches. If one is unable to upgrade immediately, avoid using AuthZ plugins and/or restrict access to the Docker API to trusted parties, following the principle of least privilege.
**CWE:**CWE-187: Partial String Comparison
**CVSS Source:** [email protected]
**CVSS Base score:** 9.9
**CVSS Vector:**(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

**CVEID:**CVE-2024-41753
**DESCRIPTION:** IBM CP4BA – Business Automation Insights Core is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
**CWE:**CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
**CVSS Source:** IBM X-Force
**CVSS Base score:** 6.1
**CVSS Vector:**(CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

**CVEID:**CVE-2024-34155
**DESCRIPTION:** Golang Go is vulnerable to a denial of service, caused by a stack exhaustion in all Parse* functions. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
**CWE:**CWE-1325: Improperly Controlled Sequential Memory Allocation
**CVSS Source:** IBM X-Force
**CVSS Base score:** 7.5
**CVSS Vector:**(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2024-12401
**DESCRIPTION:** A flaw was found in the cert-manager package. This flaw allows an attacker who can modify PEM data that the cert-manager reads, for example, in a Secret resource, to use large amounts of CPU in the cert-manager controller pod to effectively create a denial-of-service (DoS) vector for the cert-manager in the cluster.
**CWE:**CWE-20: Improper Input Validation
**CVSS Source:** [email protected]
**CVSS Base score:** 4.4
**CVSS Vector:**(CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2024-31141
**DESCRIPTION:** Files or Directories Accessible to External Parties, Improper Privilege Management vulnerability in Apache Kafka Clients. Apache Kafka Clients accept configuration data for customizing behavior, and includes ConfigProvider plugins in order to manipulate these configurations. Apache Kafka also provides FileConfigProvider, DirectoryConfigProvider, and EnvVarConfigProvider implementations which include the ability to read from disk or environment variables. In applications where Apache Kafka Clients configurations can be specified by an untrusted party, attackers may use these ConfigProviders to read arbitrary contents of the disk and environment variables. In particular, this flaw may be used in Apache Kafka Connect to escalate from REST API access to filesystem/environment access, which may be undesirable in certain environments, including SaaS products. This issue affects Apache Kafka Clients: from 2.3.0 through 3.5.2, 3.6.2, 3.7.0. Users with affected applications are recommended to upgrade kafka-clients to version >=3.8.0, and set the JVM system property “org.apache.kafka.automatic.config.providers=none”. Users of Kafka Connect with one of the listed ConfigProvider implementations specified in their worker config are also recommended to add appropriate “allowlist.pattern” and “allowed.paths” to restrict their operation to appropriate bounds. For users of Kafka Clients or Kafka Connect in environments that trust users with disk and environment variable access, it is not recommended to set the system property. For users of the Kafka Broker, Kafka MirrorMaker 2.0, Kafka Streams, and Kafka command-line tools, it is not recommended to set the system property.
**CWE:**CWE-269: Improper Privilege Management
**CVSS Source:** IBM X-Force
**CVSS Base score:** 6.8
**CVSS Vector:**(CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N)

## Affected Products and Versions

Affected Product(s)| Version(s)| Status
—|—|—
IBM Cloud Pak for Business Automation| V24.0.1 – V24.0.1-IF001| Affected
IBM Cloud Pak for Business Automation| V24.0.0 – V24.0.0-IF004| Affected
IBM Cloud Pak for Business Automation| earlier unsupported versions| Affected

## Remediation/Fixes

Affected Product(s)| Version(s)| Remediation / Fix
—|—|—
IBM Cloud Pak for Business Automation| V24.0.1 – V24.0.1-IF001| Apply security fix 24.0.1-IF002
IBM Cloud Pak for Business Automation| V24.0.0 – V24.0.0-IF004| Apply security fix 24.0.0-IF005 or upgrade to 24.0.1-IF002
IBM Cloud Pak for Business Automation| earlier unsupported versions| Upgrade to 24.0.0-IF005 or 24.0.1-IF002

Any open source library may be included in one or more sub-components of IBM Cloud Pak for Business Automation. Open source updates are not always synchronized across all components. The CVE in this bulletin are specifically addressed by

CVE ID| Component
—|—
CVE-2024-45337| Automation Decision Services
CVE-2024-45338| Automation Decision Services
CVE-2025-22868| Automation Decision Services
CVE-2025-22869| Automation Decision Services
CVE-2014-9390| Automation Document Processing Component
CVE-2014-9390| Automation Document Processing Component
CVE-2022-40735| Automation Document Processing Component
CVE-2022-40735| Automation Document Processing Component
CVE-2023-29383| Automation Document Processing Component
CVE-2023-29383| Automation Document Processing Component
CVE-2023-4759| Automation Document Processing Component
CVE-2023-4759| Automation Document Processing Component
CVE-2023-5678| Automation Document Processing Component
CVE-2023-5678| Automation Document Processing Component
CVE-2023-6129| Automation Document Processing Component
CVE-2023-6129| Automation Document Processing Component
CVE-2023-7008| Automation Document Processing Component
CVE-2023-7008| Automation Document Processing Component
CVE-2024-0727| Automation Document Processing Component
CVE-2024-0727| Automation Document Processing Component
CVE-2024-12905| Automation Document Processing Component
CVE-2024-21536| Automation Document Processing Component
CVE-2024-21538| Automation Document Processing Component
CVE-2024-35195| Automation Document Processing Component
CVE-2024-3651| Automation Document Processing Component
CVE-2024-37891| Automation Document Processing Component
CVE-2024-39338| Automation Document Processing Component
CVE-2024-39689| Automation Document Processing Component
CVE-2024-39705| Automation Document Processing Component
CVE-2024-4067| Automation Document Processing Component
CVE-2024-43796| Automation Document Processing Component
CVE-2024-43799| Automation Document Processing Component
CVE-2024-43800| Automation Document Processing Component
CVE-2024-45296| Automation Document Processing Component
CVE-2024-45590| Automation Document Processing Component
CVE-2024-45801| Automation Document Processing Component
CVE-2024-47764| Automation Document Processing Component
CVE-2024-47875| Automation Document Processing Component
CVE-2024-49766| Automation Document Processing Component
CVE-2024-49767| Automation Document Processing Component
CVE-2024-5187| Automation Document Processing Component
CVE-2024-5206| Automation Document Processing Component
CVE-2024-52798| Automation Document Processing Component
CVE-2024-53382| Automation Document Processing Component
CVE-2024-6119| Automation Document Processing Component
CVE-2024-6119| Automation Document Processing Component
CVE-2024-6119| Automation Document Processing Component
CVE-2024-6345| Automation Document Processing Component
CVE-2025-22150| Automation Document Processing Component
CVE-2025-26791| Automation Document Processing Component
CVE-2025-27152| Automation Document Processing Component
CVE-2023-50314| Base Images
CVE-2025-27152| Business Automation Application Component
CVE-2025-27152| Business Automation Insights Component
CVE-2024-12798| Business Automation Insights Core
CVE-2024-12798| Business Automation Insights Core
CVE-2024-12801| Business Automation Insights Core
CVE-2024-41747| Business Automation Insights Core
CVE-2024-41753| Business Automation Insights Core
CVE-2024-57965| Business Automation Insights Core
CVE-2025-1634| Business Automation Insights Core
CVE-2025-27152| Business Automation Insights Core
CVE-2024-11187| Business Automation Workflow
CVE-2024-12401| Business Automation Workflow
CVE-2024-31141| Business Automation Workflow
CVE-2024-34155| Business Automation Workflow
CVE-2024-45336| Business Automation Workflow
CVE-2024-45341| Business Automation Workflow
CVE-2025-22866| Business Automation Workflow
CVE-2025-22869| Business Automation Workflow
CVE-2025-22870| Business Automation Workflow
CVE-2018-12699| Cloud Pak foundational services
CVE-2018-18700| Cloud Pak foundational services
CVE-2019-12972| Cloud Pak foundational services
CVE-2019-16163| Cloud Pak foundational services
CVE-2020-15250| Cloud Pak foundational services
CVE-2020-35493| Cloud Pak foundational services
CVE-2020-35494| Cloud Pak foundational services
CVE-2020-35495| Cloud Pak foundational services
CVE-2020-35496| Cloud Pak foundational services
CVE-2020-35507| Cloud Pak foundational services
CVE-2023-1972| Cloud Pak foundational services
CVE-2023-25584| Cloud Pak foundational services
CVE-2023-25585| Cloud Pak foundational services
CVE-2023-25588| Cloud Pak foundational services
CVE-2023-51775| Cloud Pak foundational services
CVE-2023-52428| Cloud Pak foundational services
CVE-2024-0450| Cloud Pak foundational services
CVE-2024-10041| Cloud Pak foundational services
CVE-2024-10963| Cloud Pak foundational services
CVE-2024-10963| Cloud Pak foundational services
CVE-2024-12798| Cloud Pak foundational services
CVE-2024-12798| Cloud Pak foundational services
CVE-2024-12801| Cloud Pak foundational services
CVE-2024-12801| Cloud Pak foundational services
CVE-2024-21217| Cloud Pak foundational services
CVE-2024-21235| Cloud Pak foundational services
CVE-2024-21538| Cloud Pak foundational services
CVE-2024-21538| Cloud Pak foundational services
CVE-2024-23944| Cloud Pak foundational services
CVE-2024-29018| Cloud Pak foundational services
CVE-2024-45336| Cloud Pak foundational services
CVE-2024-45336| Cloud Pak foundational services
CVE-2024-45337| Cloud Pak foundational services
CVE-2024-47535| Cloud Pak foundational services
CVE-2024-47554| Cloud Pak foundational services
CVE-2024-52798| Cloud Pak foundational services
CVE-2024-55565| Cloud Pak foundational services
CVE-2024-6763| Cloud Pak foundational services
CVE-2024-7254| Cloud Pak foundational services
CVE-2024-8184| Cloud Pak foundational services
CVE-2025-21502| Cloud Pak foundational services
CVE-2025-21613| Cloud Pak foundational services
CVE-2025-21614| Cloud Pak foundational services
CVE-2025-26791| Cloud Pak foundational services
CVE-2023-36478| IBM Content Collector for SAP Component
CVE-2023-44487| IBM Content Collector for SAP Component
CVE-2024-41110| operators
CVE-2024-45336| User Management Service Component
CVE-2024-45341| User Management Service Component
CVE-2024-57965| User Management Service Component
CVE-2025-22866| User Management Service Component
CVE-2025-22868| User Management Service Component
CVE-2025-22870| User Management Service Component
CVE-2025-27152| User Management Service Component

## Workarounds and Mitigations

None

##