SB2024050727 - Multiple vulnerabilities in IBM Planning Analytics Local - IBM Planning Analytics Workspace
Published: May 7, 2024 Updated: January 31, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 66 secuirty vulnerabilities.
1) Improper input validation (CVE-ID: CVE-2023-21977)
The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.
2) Improper input validation (CVE-ID: CVE-2023-21976)
The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.
3) Improper input validation (CVE-ID: CVE-2023-22111)
The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Server: UDF component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.
4) Improper input validation (CVE-ID: CVE-2024-20965)
The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.
5) Improper input validation (CVE-ID: CVE-2024-20963)
The vulnerability allows a remote authenticated user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Server: Security: Encryption component in MySQL Server. A remote authenticated user can exploit this vulnerability to perform a denial of service (DoS) attack.
6) Improper input validation (CVE-ID: CVE-2023-21972)
The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Server: DML component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.
7) Improper input validation (CVE-ID: CVE-2023-22115)
The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Server: DML component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.
8) Improper input validation (CVE-ID: CVE-2024-20981)
The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Server: DDL component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.
9) Improper input validation (CVE-ID: CVE-2024-20971)
The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.
10) Improper input validation (CVE-ID: CVE-2023-22065)
The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.
11) Improper input validation (CVE-ID: CVE-2024-20969)
The vulnerability allows a remote privileged user to damange or delete data.
The vulnerability exists due to improper input validation within the Server: DDL component in MySQL Server. A remote privileged user can exploit this vulnerability to damange or delete data.
12) Improper input validation (CVE-ID: CVE-2023-22110)
The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.
13) Improper input validation (CVE-ID: CVE-2024-20977)
The vulnerability allows a remote authenticated user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote authenticated user can exploit this vulnerability to perform a denial of service (DoS) attack.
14) Improper input validation (CVE-ID: CVE-2023-22104)
The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the InnoDB component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.
15) Improper input validation (CVE-ID: CVE-2023-21980)
The vulnerability allows a remote authenticated user to execute arbitrary code.
The vulnerability exists due to improper input validation within the Client programs component in MySQL Server. A remote authenticated user can exploit this vulnerability to execute arbitrary code.
16) Improper input validation (CVE-ID: CVE-2023-21982)
The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.
17) Improper input validation (CVE-ID: CVE-2023-22064)
The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.
18) Improper input validation (CVE-ID: CVE-2024-20967)
The vulnerability allows a remote privileged user to damange or delete data.
The vulnerability exists due to improper input validation within the Server: Replication component in MySQL Server. A remote privileged user can exploit this vulnerability to damange or delete data.
19) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2024-22243)
The disclosed vulnerability allows a remote attacker to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input when parsing URL with the UriComponentsBuilder component. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.
Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.
20) Inadequate encryption strength (CVE-ID: CVE-2023-48795)
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to incorrect implementation of the SSH Binary Packet Protocol (BPP), which mishandles the handshake phase and the use of sequence numbers. A remote attacker can perform MitM attack and delete the SSH2_MSG_EXT_INFO message sent before authentication starts, allowing the attacker to disable a subset of the keystroke timing obfuscation features introduced in OpenSSH 9.5.
The vulnerability was dubbed "Terrapin attack" and it affects both client and server implementations.
21) Prototype pollution (CVE-ID: CVE-2023-26136)
The vulnerability allows a remote attacker to execute arbitrary JavaScript code.
The vulnerability exists due to improper input validation. A remote attacker can pass specially crafted input to the application and perform prototype pollution, which can result in information disclosure or data manipulation.
22) Resource exhaustion (CVE-ID: CVE-2024-26308)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of memory when unpacking a broken Pack200 file. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
23) Infinite loop (CVE-ID: CVE-2024-25710)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop when processing a corrupt DUMP file. A remote attacker can consume all available system resources and cause denial of service conditions.
24) Improper input validation (CVE-ID: CVE-2023-22084)
The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the InnoDB component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.
25) Improper input validation (CVE-ID: CVE-2024-20983)
The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Server: DML component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.
26) Improper input validation (CVE-ID: CVE-2024-20961)
The vulnerability allows a remote authenticated user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote authenticated user can exploit this vulnerability to perform a denial of service (DoS) attack.
27) Improper input validation (CVE-ID: CVE-2023-22113)
The vulnerability allows a remote privileged user to gain access to sensitive information.
The vulnerability exists due to improper input validation within the Server: Security: Encryption component in MySQL Server. A remote privileged user can exploit this vulnerability to gain access to sensitive information.
28) Improper input validation (CVE-ID: CVE-2023-22007)
The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Server: Replication component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.
29) Improper input validation (CVE-ID: CVE-2024-20985)
The vulnerability allows a remote authenticated user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Server: UDF component in MySQL Server. A remote authenticated user can exploit this vulnerability to perform a denial of service (DoS) attack.
30) Improper input validation (CVE-ID: CVE-2023-22079)
The vulnerability allows a remote authenticated user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote authenticated user can exploit this vulnerability to perform a denial of service (DoS) attack.
31) Improper input validation (CVE-ID: CVE-2023-22092)
The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.
32) Improper input validation (CVE-ID: CVE-2023-22112)
The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.
33) Improper input validation (CVE-ID: CVE-2024-20973)
The vulnerability allows a remote authenticated user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote authenticated user can exploit this vulnerability to perform a denial of service (DoS) attack.
34) Cross-site request forgery (CVE-ID: CVE-2023-45857)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
35) Improper Authentication (CVE-ID: CVE-2023-2975)
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error in the AES-SIV cipher implementation when authenticating empty data entries via the EVP_EncryptUpdate() and EVP_CipherUpdate() functions. A remote attacker can bypass authentication process and impact application's integrity.
36) Improper input validation (CVE-ID: CVE-2023-22066)
The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the InnoDB component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.
37) Code Injection (CVE-ID: CVE-2020-13936)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation. A remote attacker with ability to modify Velocity templates can inject and execute arbitrary Java code on the system with the same privileges as the account running the Servlet container.
38) Improper validation of integrity check value (CVE-ID: CVE-2023-38552)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to an error in the policy feature, which checks the integrity of a resource against a trusted manifest. An application can intercept the operation and return a forged checksum to node's policy implementation, thus effectively disabling the integrity check.
39) Input validation error (CVE-ID: CVE-2023-4807)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input within the POLY1305 MAC (message authentication code) implementation. A remote attacker can send specially crafted input to the application and corrupt MM registers on Windows 64 platform, resulting in a denial of service condition.
40) Buffer overflow (CVE-ID: CVE-2022-3602)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing the email address field inside X.509 certificate. A remote attacker can supply a specially crafted certificate to the application, trigger a 4-byte buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system but requires that either a CA signs the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer.
41) Resource management error (CVE-ID: CVE-2023-2650)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the application when processing OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS subsystems with no message size limit. A remote attacker can send specially crafted data to the application and perform a denial of service (DoS) attack.
42) Resource management error (CVE-ID: CVE-2023-3446)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the DH_check(), DH_check_ex() and EVP_PKEY_param_check() function when processing a DH key or DH parameters. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.
43) Improper input validation (CVE-ID: CVE-2023-22068)
The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the InnoDB component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.
44) Resource management error (CVE-ID: CVE-2023-3817)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the application when checking the long DH keys. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.
45) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2023-42282)
The disclosed vulnerability allows a remote attacker to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input within the isPublic() function. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.
Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.
46) Path traversal (CVE-ID: CVE-2023-39331)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to insufficient patch for #VU77594 (CVE-2023-30584). A remote user can send a specially crafted request and read arbitrary files on the system.
47) Code Injection (CVE-ID: CVE-2023-39333)
The vulnerability allows a remote attacker to execute arbitrary JavaScript code.
The vulnerability exists due to improper input validation in an imported WebAssembly module when processing export names. A remote attacker can pass specially crafted export names to the application and execute arbitrary JavaScript code on the system.
48) Path traversal (CVE-ID: CVE-2023-39332)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences in paths stored in Uint8Array. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.
49) Improper input validation (CVE-ID: CVE-2024-20975)
The vulnerability allows a remote authenticated user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote authenticated user can exploit this vulnerability to perform a denial of service (DoS) attack.
50) Improper input validation (CVE-ID: CVE-2023-22078)
The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.
51) Inconsistency between implementation and documented design (CVE-ID: CVE-2024-21890)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to improper handling of wildcards in --allow-fs-read and --allow-fs-write. A remote attacker can gain access to sensitive information.
52) Open redirect (CVE-ID: CVE-2023-26159)
The vulnerability allows a remote attacker to redirect victims to arbitrary URL.
The vulnerability exists due to improper sanitization of user-supplied data within the url.parse() function. A remote attacker can create a link that leads to a trusted website, however, when clicked, redirects the victim to arbitrary domain.
Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.
53) Input validation error (CVE-ID: CVE-2024-22019)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input when processing HTTP requests with chunked encoding. A remote attacker can send specially crafted HTTP request to the server and perform a denial of service (DoS) attack.
54) Path traversal (CVE-ID: CVE-2024-21891)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.
55) Improper Privilege Management (CVE-ID: CVE-2024-22017)
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid(). A local user can escalate privileges on the system.
56) Improper handling of exceptional conditions (CVE-ID: CVE-2024-21892)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to the way certain environment variables are handled by Node.js on Linux. A local user can use a specially crafted environment variable to escalate privileges on the system.
57) Covert Timing Channel (CVE-ID: CVE-2023-46809)
The vulnerability allows a remote attacker to perform Marvin attack.
The vulnerability exists due to a covert timing channel in the privateDecrypt() API of the crypto library. A remote attacker can perform a covert timing side-channel during PKCS#1 v1.5 padding error handling and decrypt captured RSA ciphertexts or forge signatures, especially in scenarios involving API endpoints processing Json Web Encryption messages.
58) Path traversal (CVE-ID: CVE-2024-21896)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences in Buffer.prototype.utf8Write. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.
59) Resource exhaustion (CVE-ID: CVE-2024-28176)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources in the JSON Web Encryption (JWE) decryption interfaces. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
60) Improper input validation (CVE-ID: CVE-2023-22103)
The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.
61) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2024-22259)
The disclosed vulnerability allows a remote attacker to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input when parsing URL with the UriComponentsBuilder component. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.
Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.
62) Improper input validation (CVE-ID: CVE-2023-22032)
The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.
63) Improper input validation (CVE-ID: CVE-2023-22059)
The vulnerability allows a remote authenticated user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote authenticated user can exploit this vulnerability to perform a denial of service (DoS) attack.
64) Improper input validation (CVE-ID: CVE-2023-22070)
The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.
65) Improper input validation (CVE-ID: CVE-2023-22114)
The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the InnoDB component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.
66) Improper input validation (CVE-ID: CVE-2023-22097)
The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the InnoDB component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.
Remediation
Install update from vendor's website.