SB20240417123 - Multiple vulnerabilities in IBM Security Verify Governance, Identity Manager

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB20240417123

SB20240417123 - Multiple vulnerabilities in IBM Security Verify Governance, Identity Manager

Published: April 17, 2024

Security Bulletin ID SB20240417123
Severity
Medium
Patch available
YES
Number of vulnerabilities 9
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 22% Low 78%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 9 secuirty vulnerabilities.


1) Information disclosure (CVE-ID: CVE-2023-38729)

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. A remote user can gain unauthorized access to sensitive information on the system.


2) Input validation error (CVE-ID: CVE-2012-2677)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

Integer overflow in the ordered_malloc function in boost/pool/pool.hpp in Boost Pool before 3.9 makes it easier for context-dependent attackers to perform memory-related attacks such as buffer overflows via a large memory chunk size value, which causes less memory to be allocated than expected.


3) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2024-25030)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to software stores sensitive information into log files. A local user can read the log files and gain access to sensitive data.


4) Input validation error (CVE-ID: CVE-2024-25046)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote user can pass specially crafted input to the application and perform a denial of service (DoS) attack.


5) Resource exhaustion (CVE-ID: CVE-2024-27254)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote user can trigger resource exhaustion and perform a denial of service (DoS) attack.


6) Input validation error (CVE-ID: CVE-2023-52296)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote user can pass specially crafted input to the application and perform a denial of service (DoS) attack.


7) Resource exhaustion (CVE-ID: CVE-2024-22360)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote user can trigger resource exhaustion and perform a denial of service (DoS) attack.


8) Resource exhaustion (CVE-ID: CVE-2023-51775)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion via large p2c (aka PBES2 Count) value and perform a denial of service (DoS) attack.


9) Use of a broken or risky cryptographic algorithm (CVE-ID: CVE-2023-50313)

The vulnerability allows an attacker in adjacent network to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. An attacker in adjacent network can gain unauthorized access to sensitive information on the system.


Remediation

Install update from vendor's website.

References