Multiple vulnerabilities in IBM Edge Application Manager
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2024-29018 CVE-2024-4067 CVE-2024-28863 CVE-2024-24557 |
| CWE-ID | CWE-669 CWE-185 CWE-400 CWE-345 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #3 is available. |
| Vulnerable software Subscribe |
IBM Edge Application Manager Client/Desktop applications / Software for system administration |
| Vendor | IBM Corporation |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Incorrect Resource Transfer Between Spheres
EUVDB-ID: #VU87658
Risk: Medium
CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-29018
CWE-ID:
CWE-669 - Incorrect Resource Transfer Between Spheres
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application within external DNS requests from "internal" networks. A remote attacker can gain unauthorized access to sensitive information on the system.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Edge Application Manager: 4.4 - 4.5
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_edge_application_manager:4.5:*:*:*:*:*:*:
- cpe:2.3:a:ibm_corporation:ibm_edge_application_manager:4.4:*:*:*:*:*:*:
http://www.ibm.com/support/pages/node/7158838
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Incorrect Regular Expression
EUVDB-ID: #VU92406
Risk: Medium
CVSSv3.1: 6.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:T/RC:C]
CVE-ID: CVE-2024-4067
CWE-ID:
CWE-185 - Incorrect Regular Expression
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.
Install update from vendor's website.
Vulnerable software versionsIBM Edge Application Manager: 4.4 - 4.5
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_edge_application_manager:4.5:*:*:*:*:*:*:
- cpe:2.3:a:ibm_corporation:ibm_edge_application_manager:4.4:*:*:*:*:*:*:
http://www.ibm.com/support/pages/node/7158838
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Resource exhaustion
EUVDB-ID: #VU87734
Risk: Medium
CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2024-28863
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources while parsing a tar file. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Edge Application Manager: 4.4 - 4.5
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_edge_application_manager:4.5:*:*:*:*:*:*:
- cpe:2.3:a:ibm_corporation:ibm_edge_application_manager:4.4:*:*:*:*:*:*:
http://www.ibm.com/support/pages/node/7158838
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
4) Insufficient verification of data authenticity
EUVDB-ID: #VU86049
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-24557
CWE-ID:
CWE-345 - Insufficient Verification of Data Authenticity
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to insufficient verification of data authenticity. A remote attacker can poison victim´s cache by making them pull a specially crafted image that would be considered as a valid cache candidate for some build steps.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Edge Application Manager: 4.4 - 4.5
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_edge_application_manager:4.5:*:*:*:*:*:*:
- cpe:2.3:a:ibm_corporation:ibm_edge_application_manager:4.4:*:*:*:*:*:*:
http://www.ibm.com/support/pages/node/7158838
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
