Security Bulletin: IBM Guardium Data Security Center is affected by multiple vulnerabilities

IBM Guardium Data Security Center has addressed these vulnerabilities

## Vulnerability Details

**CVEID:**CVE-2025-29927
**DESCRIPTION:** Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.
**CWE:**CWE-285: Improper Authorization
**CVSS Source:** [email protected]
**CVSS Base score:** 9.1
**CVSS Vector:**(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)

**CVEID:**CVE-2024-56332
**DESCRIPTION:** Next.js is a React framework for building full-stack web applications. Starting in version 13.0.0 and prior to versions 13.5.8, 14.2.21, and 15.1.2, Next.js is vulnerable to a Denial of Service (DoS) attack that allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution. This vulnerability can also be used as a Denial of Wallet (DoW) attack when deployed in providers billing by response times. (Note: Next.js server is idle during that time and only keeps the connection open. CPU and memory footprint are low during that time.). Deployments without any protection against long running Server Action invocations are especially vulnerable. Hosting providers like Vercel or Netlify set a default maximum duration on function execution to reduce the risk of excessive billing. This is the same issue as if the incoming HTTP request has an invalid `Content-Length` header or never closes. If the host has no other mitigations to those then this vulnerability is novel. This vulnerability affects only Next.js deployments using Server Actions. The issue was resolved in Next.js 13.5.8, 14.2.21, and 15.1.2. We recommend that users upgrade to a safe version. There are no official workarounds.
**CWE:**CWE-770: Allocation of Resources Without Limits or Throttling
**CVSS Source:** [email protected]
**CVSS Base score:** 5.3
**CVSS Vector:**(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

**CVEID:**CVE-2025-24970
**DESCRIPTION:** Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn’t correctly handle validation of such a packet in all cases which can lead to a native crash. Version 4.1.118.Final contains a patch. As workaround its possible to either disable the usage of the native SSLEngine or change the code manually.
**CWE:**CWE-20: Improper Input Validation
**CVSS Source:** [email protected]
**CVSS Base score:** 7.5
**CVSS Vector:**(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2025-27793
**DESCRIPTION:** Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In Vega prior to version 5.32.0, corresponding to vega-functions prior to version 5.17.0, users running Vega/Vega-lite JSON definitions could run unexpected JavaScript code when drawing graphs, unless the library was used with the `vega-interpreter`. Vega version 5.32.0 and vega-functions version 5.17.0 fix the issue. As a workaround, use `vega` with expression interpreter.
**CWE:**CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
**CVSS Source:** [email protected]
**CVSS Base score:** 5.3
**CVSS Vector:**(CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X)

**CVEID:**CVE-2025-26619
**DESCRIPTION:** Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In `vega` 5.30.0 and lower and in `vega-functions` 5.15.0 and lower , it was possible to call JavaScript functions from the Vega expression language that were not meant to be supported. The issue is patched in `vega` `5.31.0` and `vega-functions` `5.16.0`. Some workarounds are available. Run `vega` without `vega.expressionInterpreter`. This mode is not the default as it is slower. Alternatively, using the interpreter described in CSP safe mode (Content Security Policy) prevents arbitrary Javascript from running, so users of this mode are not affected by this vulnerability.
**CWE:**CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
**CVSS Source:** NVD
**CVSS Base score:** 6.1
**CVSS Vector:**(CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

**CVEID:**CVE-2016-20012
**DESCRIPTION:** OpenSSH could allow a remote attacker to obtain sensitive information, caused by a flaw when using the publickey authentication. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain the user information, and use this information to launch further attacks against the affected system.
**CVSS Source:** IBM X-Force
**CVSS Base score:** 5.3
**CVSS Vector:**(CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

**CVEID:**CVE-2021-41617
**DESCRIPTION:** OpenSSH could allow a local attacker to gain elevated privileges on the system, caused by an error in sshd when certain non-default configurations are used. By executing an AuthorizedKeysCommand or AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser or AuthorizedPrincipalsCommandUser directive has been set to run the command as a non-root user, an attacker could exploit this vulnerability to gain privileges associated with group memberships of the sshd process.
**CVSS Source:** IBM X-Force
**CVSS Base score:** 7.4
**CVSS Vector:**(CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**CVE-2019-6110
**DESCRIPTION:** OpenSSH could allow a remote attacker to conduct spoofing attacks, caused by accepting and displaying arbitrary stderr output from the scp server. A man-in-the-middle attacker could exploit this vulnerability to spoof scp client output.
**CWE:**CWE-838: Inappropriate Encoding for Output Context
**CVSS Source:** IBM X-Force
**CVSS Base score:** 4.2
**CVSS Vector:**(CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N)

**CVEID:**CVE-2018-15919
**DESCRIPTION:** OpenSSH could allow a remote attacker to obtain sensitive information, caused by an error in auth-gss2.c when GSS2 is in use. By sending a specially crafted request, an attacker could exploit this vulnerability to enumerate valid usernames. Note: The discoverer has stated that the OpenSSH developers do not want to treat such a username enumeration as a vulnerability.
**CWE:**CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
**CVSS Source:** IBM X-Force
**CVSS Base score:** 5.3
**CVSS Vector:**(CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

**CVEID:**CVE-2020-15778
**DESCRIPTION:** OpenSSH could allow a remote attacker to execute arbitrary commands on the system, caused by improper input validation in the remote function in scp.c. By opening a specially crafted file containing backtick characters in the destination argument, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
**CWE:**CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
**CVSS Source:** IBM X-Force
**CVSS Base score:** 7.8
**CVSS Vector:**(CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

**CVEID:**CVE-2023-38408
**DESCRIPTION:** OpenSSH could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the forwarded ssh-agent. By sending specially crafted requests, an attacker could exploit this vulnerability to execute arbitrary code on the system.
**CWE:**CWE-428: Unquoted Search Path or Element
**CVSS Source:** IBM X-Force
**CVSS Base score:** 8.1
**CVSS Vector:**(CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**CVE-2020-14145
**DESCRIPTION:** OpenSSH is vulnerable to a man-in-the-middle attack, caused by an observable discrepancy flaw. An attacker could exploit this vulnerability to launch a man-in-the-middle attack and gain access to the communication channel between endpoints to obtain sensitive information or further compromise the system.
**CWE:**CWE-203: Observable Discrepancy
**CVSS Source:** IBM X-Force
**CVSS Base score:** 5.3
**CVSS Vector:**(CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N)

**CVEID:**CVE-2025-27152
**DESCRIPTION:** axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if ⁠baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios. This issue is fixed in 1.8.2.
**CWE:**CWE-918: Server-Side Request Forgery (SSRF)
**CVSS Source:** IBM
**CVSS Base score:** 7.5
**CVSS Vector:**(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**CVE-2024-20952
**DESCRIPTION:** An unspecified vulnerability in Java SE related to the Security component could allow a remote attacker to cause high confidentiality impact and high integrity impact.
**CWE:**CWE-284: Improper Access Control
**CVSS Source:** [email protected]
**CVSS Base score:** 7.4
**CVSS Vector:**(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

**CVEID:**CVE-2024-21131
**DESCRIPTION:** An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause low integrity impact.
**CVSS Source:** IBM X-Force
**CVSS Base score:** 3.7
**CVSS Vector:**(CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

**CVEID:**CVE-2024-21138
**DESCRIPTION:** An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause a low availability impact.
**CVSS Source:** IBM X-Force
**CVSS Base score:** 3.7
**CVSS Vector:**(CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

**CVEID:**CVE-2024-21144
**DESCRIPTION:** An unspecified vulnerability in Java SE related to the Concurrency component could allow a remote attacker to cause low availability impact.
**CVSS Source:** IBM X-Force
**CVSS Base score:** 3.7
**CVSS Vector:**(CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

**CVEID:**CVE-2024-21145
**DESCRIPTION:** An unspecified vulnerability in Java SE related to the 2D component could allow a remote attacker to cause low confidentiality, low integrity impacts.
**CWE:**CWE-284: Improper Access Control
**CVSS Source:** IBM X-Force
**CVSS Base score:** 4.8
**CVSS Vector:**(CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)

**CVEID:**CVE-2025-25193
**DESCRIPTION:** Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crash. A similar issue was previously reported as CVE-2024-47535. This issue was fixed, but the fix was incomplete in that null-bytes were not counted against the input limit. Commit d1fbda62d3a47835d3fb35db8bd42ecc205a5386 contains an updated fix.
**CWE:**CWE-400: Uncontrolled Resource Consumption
**CVSS Source:** NVD
**CVSS Base score:** 5.5
**CVSS Vector:**(CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2024-45337
**DESCRIPTION:** Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that “A call to this function does not guarantee that the key offered is in fact used to authenticate.” Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/cry…@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.
**CVSS Source:** CISA
**CVSS Base score:** 9.1
**CVSS Vector:**(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)

**CVEID:**CVE-2025-22869
**DESCRIPTION:** SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.
**CWE:**CWE-770: Allocation of Resources Without Limits or Throttling
**CVSS Source:** CISA ADP
**CVSS Base score:** 7.5
**CVSS Vector:**(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2025-27363
**DESCRIPTION:** An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.
**CWE:**CWE-787: Out-of-bounds Write
**CVSS Source:** [email protected]
**CVSS Base score:** 8.1
**CVSS Vector:**(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**CVE-2023-29483
**DESCRIPTION:** Dnspython is vulnerable to a denial of service, caused by a flaw in stub resolver when a bad-in-some-way response arrives before a legitimate one on the UDP port dnspython is using for that query. By sending a specially crafted query, a remote attacker could exploit this vulnerability to cause a denial of service condition.
**CWE:**CWE-292: DEPRECATED: Trusting Self-reported DNS Name
**CVSS Source:** IBM X-Force
**CVSS Base score:** 7
**CVSS Vector:**(CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H)

**CVEID:**CVE-2023-5752
**DESCRIPTION:** When installing a package from a Mercurial VCS URL (ie “pip install hg+…”) with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the “hg clone” call (ie “–config”). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren’t installing from Mercurial.
**CWE:**CWE-77: Improper Neutralization of Special Elements used in a Command (‘Command Injection’)
**CVSS Source:** IBM X-Force
**CVSS Base score:** 5.5
**CVSS Vector:**(CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)

**CVEID:**CVE-2024-11079
**DESCRIPTION:** A flaw was found in Ansible-Core. This vulnerability allows attackers to bypass unsafe content protections using the hostvars object to reference and execute templated content. This issue can lead to arbitrary code execution if remote data or module outputs are improperly templated within playbooks.
**CWE:**CWE-20: Improper Input Validation
**CVSS Source:** CVE.org
**CVSS Base score:** 5.5
**CVSS Vector:**(CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L)

**CVEID:**CVE-2024-12797
**DESCRIPTION:** Issue summary: Clients using RFC7250 Raw Public Keys (RPKs) to authenticate a server may fail to notice that the server was not authenticated, because handshakes don’t abort as expected when the SSL_VERIFY_PEER verification mode is set. Impact summary: TLS and DTLS connections using raw public keys may be vulnerable to man-in-middle attacks when server authentication failure is not detected by clients. RPKs are disabled by default in both TLS clients and TLS servers. The issue only arises when TLS clients explicitly enable RPK use by the server, and the server, likewise, enables sending of an RPK instead of an X.509 certificate chain. The affected clients are those that then rely on the handshake to fail when the server’s RPK fails to match one of the expected public keys, by setting the verification mode to SSL_VERIFY_PEER. Clients that enable server-side raw public keys can still find out that raw public key verification failed by calling SSL_get_verify_result(), and those that do, and take appropriate action, are not affected. This issue was introduced in the initial implementation of RPK support in OpenSSL 3.2. The FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.
**CWE:**CWE-392: Missing Report of Error Condition
**CVSS Source:** CISA ADP
**CVSS Base score:** 6.3
**CVSS Vector:**(CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)

**CVEID:**CVE-2024-26130
**DESCRIPTION:** cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if `pkcs12.serialize_key_and_certificates` is called with both a certificate whose public key did not match the provided private key and an `encryption_algorithm` with `hmac_hash` set (via `PrivateFormat.PKCS12.encryption_builder().hmac_hash(…)`, then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which a `ValueError` is properly raised.
**CWE:**CWE-476: NULL Pointer Dereference
**CVSS Source:** NVD
**CVSS Base score:** 7.5
**CVSS Vector:**(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2024-37891
**DESCRIPTION:** urllib3 could allow a remote authenticated attacker to obtain sensitive information, caused by the failure to strip the Proxy-Authorization header during cross-origin redirects. By sending a specially crafted HTTP request, an attacker could exploit this vulnerability to obtain sensitive information.
**CWE:**CWE-669: Incorrect Resource Transfer Between Spheres
**CVSS Source:** IBM X-Force
**CVSS Base score:** 4.4
**CVSS Vector:**(CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**CVE-2024-39689
**DESCRIPTION:** Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.5.30 and prior to 2024.7.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.7.04 removes root certificates from `GLOBALTRUST` from the root store. These are in the process of being removed from Mozilla’s trust store. `GLOBALTRUST`’s root certificates are being removed pursuant to an investigation which identified “long-running and unresolved compliance issues.”
**CWE:**CWE-345: Insufficient Verification of Data Authenticity
**CVSS Source:** NVD
**CVSS Base score:** 7.5
**CVSS Vector:**(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

**CVEID:**CVE-2024-42367
**DESCRIPTION:** aio-libs aiohttp ould allow a remote attacker to traverse directories on the system, caused by improper archive file validation. An attacker could use a specially crafted archive file containing “dot dot” sequences (/../) to create arbitrary symlinks on the system.
**CWE:**CWE-61: UNIX Symbolic Link (Symlink) Following
**CVSS Source:** CVE.org
**CVSS Base score:** 4.8
**CVSS Vector:**(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)

**CVEID:**CVE-2024-53899
**DESCRIPTION:** virtualenv before 20.26.6 allows command injection through the activation scripts for a virtual environment. Magic template strings are not quoted correctly when replacing. NOTE: this is not the same as CVE-2024-9287.
**CWE:**CWE-77: Improper Neutralization of Special Elements used in a Command (‘Command Injection’)
**CVSS Source:** NVD
**CVSS Base score:** 7.8
**CVSS Vector:**(CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**CVE-2024-5569
**DESCRIPTION:** zipp is vulnerable to a denial of service, caused by an infinite loop flaw in the Path module. By using a specially crafted zip file, a local attacker could exploit this vulnerability to cause a denial of service condition.
**CWE:**CWE-400: Uncontrolled Resource Consumption
**CVSS Source:** IBM X-Force
**CVSS Base score:** 6.2
**CVSS Vector:**(CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2024-56326
**DESCRIPTION:** Jinja is an extensible templating engine. Prior to 3.1.5, An oversight in how the Jinja sandboxed environment detects calls to str.format allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates. Jinja’s sandbox does catch calls to str.format and ensures they don’t escape the sandbox. However, it’s possible to store a reference to a malicious string’s format method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox. This vulnerability is fixed in 3.1.5.
**CWE:**CWE-693: Protection Mechanism Failure
**CVSS Source:** CISA ADP
**CVSS Base score:** 7.8
**CVSS Vector:**(CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**CVE-2024-6345
**DESCRIPTION:** pypa/setuptools could allow a remote attacker to execute arbitrary code on the system, caused by an error in the package_index module. By persuading a victim to click a specially crafted URL, an attacker could exploit this vulnerability using its download functions to inject and execute arbitrary code on the system.
**CWE:**CWE-94: Improper Control of Generation of Code (‘Code Injection’)
**CVSS Source:** IBM X-Force
**CVSS Base score:** 8.8
**CVSS Vector:**(CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

**CVEID:**CVE-2024-8775
**DESCRIPTION:** A flaw was found in Ansible, where sensitive information stored in Ansible Vault files can be exposed in plaintext during the execution of a playbook. This occurs when using tasks such as include_vars to load vaulted variables without setting the no_log: true parameter, resulting in sensitive data being printed in the playbook output or logs. This can lead to the unintentional disclosure of secrets like passwords or API keys, compromising security and potentially allowing unauthorized access or actions.
**CWE:**CWE-532: Insertion of Sensitive Information into Log File
**CVSS Source:** CVE.org
**CVSS Base score:** 5.5
**CVSS Vector:**(CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**CVE-2024-9902
**DESCRIPTION:** A flaw was found in Ansible. The ansible-core `user` module can allow an unprivileged user to silently create or replace the contents of any file on any system path and take ownership of it when a privileged user executes the `user` module against the unprivileged user’s home directory. If the unprivileged user has traversal permissions on the directory containing the exploited target file, they retain full control over the contents of the file as its owner.
**CWE:**CWE-863: Incorrect Authorization
**CVSS Source:** Red Hat
**CVSS Base score:** 6.3
**CVSS Vector:**(CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L)

## Affected Products and Versions

Affected Product(s)| Version(s)
—|—
GDSC Platform On-prem| 3.7.1

## Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by upgrading to Guardium Data Security Center v3.7.1 which can be downloaded as an archive file (2.7.2.tar.gz) from : https://github.com/IBM/cloud-pak/tree/master/repo/case/ibm-guardium-data-security-center/2.7.2

## Workarounds and Mitigations

None

##