SB2024112719 - IBM Sterling Connect:Direct Web Services update for VMware Tanzu Spring

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2024112719

SB2024112719 - IBM Sterling Connect:Direct Web Services update for VMware Tanzu Spring

Published: November 27, 2024 Updated: December 4, 2024

Security Bulletin ID SB2024112719
Severity
Medium
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 security vulnerability.


1) Path traversal (CVE-ID: CVE-2024-38816)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.

Specifically, an application is vulnerable when both of the following are true:

  • the web application uses RouterFunctions</code> to serve static resources</li><li>resource handling is explicitly configured with a <code>FileSystemResource location


Remediation

Install update from vendor's website.

References