SB2024042408 - Multiple vulnerabilities in IBM Security Verify Governance
Published: April 24, 2024 Updated: January 20, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 17 secuirty vulnerabilities.
1) Infinite loop (CVE-ID: CVE-2009-2625)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop. A remote attacker can send a malformed XML input to the application, consume all available system resources and cause denial of service conditions.
2) Improper input validation (CVE-ID: CVE-2020-5258)
The vulnerability allows a remote authenticated user to gain access to sensitive information.
The vulnerability exists due to improper input validation within the Cluster: Packaging (dojo) component in MySQL Cluster. A remote authenticated user can exploit this vulnerability to gain access to sensitive information.
3) Cross-site scripting (CVE-ID: CVE-2018-1000665)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in unit. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
4) Improper input validation (CVE-ID: CVE-2022-34169)
The vulnerability allows a remote non-authenticated attacker to compromise the affected system.
The vulnerability exists due to an integer truncation issue when processing malicious XSLT stylesheets. A remote non-authenticated attacker can pass specially crafted data to the application to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode.
5) Deserialization of Untrusted Data (CVE-ID: CVE-2022-25647)
The vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to insecure input validation when processing serialized data passed to writeReplace() method. A remote attacker can pass specially crafted data to the application and perform a denial of service attack.
6) Information disclosure (CVE-ID: CVE-2022-46363)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. A remote attacker can gain list directories on the system or exfiltrate code.
7) Input validation error (CVE-ID: CVE-2022-3509)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input when parsing textformat data. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
8) Improper input validation (CVE-ID: CVE-2012-0881)
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the UI Infrastructure (Apache Xerces2 Java Parser) component in Oracle Transportation Management. A remote non-authenticated attacker can exploit this vulnerability to perform a denial of service (DoS) attack.
9) Infinite loop (CVE-ID: CVE-2022-23437)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop when parsing XML documents. A remote attacker can supply a specially crafted XML document, consume all available system resources and cause denial of service conditions.
10) Resource exhaustion (CVE-ID: CVE-2013-4002)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
11) Input validation error (CVE-ID: CVE-2017-1000048)
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.
12) Improper input validation (CVE-ID: CVE-2014-10064)
The vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists in the qs module due to an error when specifying object depth. A remote attacker can parse a deeply nested JSON string, trigger extended event loop and cause the service to crash.
13) Resource management error (CVE-ID: CVE-2014-7191)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to qs module in Node.js does not call the compact function for array data. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.
14) Input validation error (CVE-ID: CVE-2022-41966)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied XML input. A remote attacker can pass specially crafted data to the application, trigger a stack overflow error and perform a denial of service (DoS) attack.
15) Input validation error (CVE-ID: CVE-2020-14338)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists in Wildfly's implementation of Xerces, specifically in the way the XMLSchemaValidator class in the JAXP component of Wildfly enforced the "use-grammar-pool-only" feature. A remote attacker can pass specially-crafted XML file to the application and manipulate the validation process in certain cases.
16) Improper input validation (CVE-ID: CVE-2023-35116)
The vulnerability allows a remote authenticated user to perform service disruption.
The vulnerability exists due to improper input validation within the Oracle Database Fleet Patching and Provisioning (jackson-databind) in Oracle Database Server. A remote authenticated user can exploit this vulnerability to perform service disruption.
17) Resource management error (CVE-ID: CVE-2021-22569)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the application. protobuf-java allowes the interleaving of
com.google.protobuf.UnknownFieldSet fields in such a way that would be
processed out of order. A small malicious payload can occupy the parser
for several minutes by creating large numbers of short-lived objects
that cause frequent, repeated pauses. A remote attacker can trick the victim into passing specially crafted data to the application and perform a denial of service attack.
Remediation
Install update from vendor's website.