SB2025012468 - Multiple vulnerabilities in Communications Service Catalog and Design

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025012468

SB2025012468 - Multiple vulnerabilities in Communications Service Catalog and Design

Published: January 24, 2025

Security Bulletin ID SB2025012468
Severity
Medium
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 60% Low 40%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Resource management error (CVE-ID: CVE-2024-47535)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to an unsafe reading of an environment file on Windows. A local user can create an overly large file and perform a denial of service (DoS) attack.


2) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2024-38807)

The vulnerability allows a local user to bypass implemented security restrictions.

The vulnerability exists due to incorrect signature verification when using spring-boot-loader and spring-boot-loader-classic for nested jar files. A local user can forge the signature to spoof identity of the code signer.


3) Incorrect authorization (CVE-ID: CVE-2024-27309)

The vulnerability allows a remote attacker to gain access to sensitive information and modify data on the system.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can gain access to sensitive information and modify data on the system.


4) Uncontrolled Recursion (CVE-ID: CVE-2024-7254)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation when parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields. A remote attacker can pass specially crafted input to the application to create unbounded recursions and perform a denial of service (DoS) attack.


5) Resource exhaustion (CVE-ID: CVE-2024-47554)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when handling untrusted input passed to the org.apache.commons.io.input.XmlStreamReader class. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


Remediation

Install update from vendor's website.

References