SB2025011714 - Multiple vulnerabilities in IBM TRIRIGA

Security Bulletin ID SB2025011714

Severity

Medium

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Input validation error (CVE-ID: CVE-2020-13956)

The vulnerability allows a remote attacker to compromise the affected application.

The vulnerability exists due to insufficient validation of user-supplied input in Apache HttpClient. A remote attacker can pass request URIs to the library as java.net.URI object and force the application to pick the wrong target host for request execution.

2) Improper Certificate Validation (CVE-ID: CVE-2012-5783)

The vulnerability allows a remote attacker to perform a man-in-the-middle attack to spoof SSL servers via an arbitrary valid certificate.

The vulnerability exists due to Apache Commons HttpClient does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate. A remote attacker can perform a man-in-the-middle attack to spoof SSL servers via an arbitrary valid certificate.

Remediation

Install update from vendor's website.

References

https://www.ibm.com/blogs/psirt/security-bulletinibm-tririga-application-platform-discloses-cve-2020-13956/