SB2025021218 - Multiple vulnerabilities in IBM dashDB Local

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025021218

SB2025021218 - Multiple vulnerabilities in IBM dashDB Local

Published: February 12, 2025

Security Bulletin ID SB2025021218
Severity
High
Patch available
YES
Number of vulnerabilities 86
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 14% Medium 57% Low 29%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 86 secuirty vulnerabilities.


1) Resource exhaustion (CVE-ID: CVE-2023-30449)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-27558)

The vulnerability allows a local attacker to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions. A local attacker can exploit this vulnerability to gain elevated privileges by inserting an executable file in the path of the affected service.


3) Information disclosure (CVE-ID: CVE-2023-29256)

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. A remote user can gain unauthorized access to sensitive information on the system.


4) Resource exhaustion (CVE-ID: CVE-2023-30442)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


5) Code Injection (CVE-ID: CVE-2023-27868)

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to unchecked class instantiation when providing plugin classes. A remote user can send a specially crafted request using the named pluginClassName class and execute arbitrary code on the target system.


6) Code Injection (CVE-ID: CVE-2023-27867)

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation. A remote user can send a specially crafted request and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


7) Code Injection (CVE-ID: CVE-2023-27869)

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to unchecked logger injection. A remote user can send a specially crafted request using the named traceFile property and execute arbitrary code on the target system.


8) Buffer overflow (CVE-ID: CVE-2023-30431)

The vulnerability allows a local attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error. A local attacker can create a specially crafted file, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


9) Insufficient Logging (CVE-ID: CVE-2023-23487)

The vulnerability allows a remote user to modify data on the system.

The vulnerability exists due to insufficient audit logging. A remote user can trigger the vulnerability to modify data on the system.


10) Resource exhaustion (CVE-ID: CVE-2023-30445)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can send a specially crafted query on certain tables to trigger resource exhaustion and perform a denial of service (DoS) attack.


11) Buffer overflow (CVE-ID: CVE-2023-39976)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in log_blackbox.c. A remote attacker can send an overly long log message tp the application, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


12) Resource exhaustion (CVE-ID: CVE-2023-30448)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can send a specially crafted query on certain tables to trigger resource exhaustion and perform a denial of service (DoS) attack.


13) Resource exhaustion (CVE-ID: CVE-2023-30443)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote user can send a specially crafted query on certain tables to trigger resource exhaustion and perform a denial of service (DoS) attack.


14) Resource exhaustion (CVE-ID: CVE-2023-30446)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can send specially crafted query on certain tables to trigger resource exhaustion and perform a denial of service (DoS) attack.


15) Resource exhaustion (CVE-ID: CVE-2023-30447)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can send a specially crafted query on certain tables to trigger resource exhaustion and perform a denial of service (DoS) attack.


16) Resource exhaustion (CVE-ID: CVE-2024-22360)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote user can trigger resource exhaustion and perform a denial of service (DoS) attack.


17) Input validation error (CVE-ID: CVE-2023-52296)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote user can pass specially crafted input to the application and perform a denial of service (DoS) attack.


18) Resource exhaustion (CVE-ID: CVE-2024-27254)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote user can trigger resource exhaustion and perform a denial of service (DoS) attack.


19) Input validation error (CVE-ID: CVE-2024-25046)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote user can pass specially crafted input to the application and perform a denial of service (DoS) attack.


20) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2024-25030)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to software stores sensitive information into log files. A local user can read the log files and gain access to sensitive data.


21) Out-of-bounds write (CVE-ID: CVE-2023-35012)

The vulnerability allows a remote privileged user to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted input. A remote privileged user can send a specially crafted file, trigger an out-of-bounds write and execute arbitrary code on the target system.


22) Resource exhaustion (CVE-ID: CVE-2023-40373)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote user can trigger resource exhaustion and perform a denial of service (DoS) attack with a specially crafted query containing common table expressions.


23) Information disclosure (CVE-ID: CVE-2023-38729)

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. A remote user can gain unauthorized access to sensitive information on the system.


24) Improper input validation (CVE-ID: CVE-2023-21954)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Hotspot component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.


25) Segmentation fault (CVE-ID: CVE-2023-5676)

The vulnerability allows a local privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to JVM can be forced into an infinite busy hang on a spinlock or a segmentation fault if a shutdown signal (SIGTERM, SIGINT or SIGHUP) is received before the JVM has finished initializing. A local privileged user can pass specially crafted input to the application and perform a denial of service (DoS) attack.


26) Improper input validation (CVE-ID: CVE-2023-22081)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the JSSE component in Oracle GraalVM for JDK. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.


27) Out-of-bounds read (CVE-ID: CVE-2023-2597)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to in the implementation of the shared cache (which is enabled by default in OpenJ9 builds) the size of a string is not properly checked against the size of the buffer. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system.


28) Improper input validation (CVE-ID: CVE-2023-21938)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The vulnerability exists due to improper input validation within the Libraries component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.


29) Improper input validation (CVE-ID: CVE-2023-21937)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The vulnerability exists due to improper input validation within the Networking component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.


30) Improper input validation (CVE-ID: CVE-2023-21968)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The vulnerability exists due to improper input validation within the Libraries component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.


31) Improper input validation (CVE-ID: CVE-2023-21939)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The vulnerability exists due to improper input validation within the Swing component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.


32) Improper input validation (CVE-ID: CVE-2023-21967)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the JSSE component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform a denial of service (DoS) attack.


33) SQL injection (CVE-ID: CVE-2023-40372)

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.


34) Improper input validation (CVE-ID: CVE-2023-21930)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The vulnerability exists due to improper input validation within the JSSE component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.


35) Resource exhaustion (CVE-ID: CVE-2023-38728)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote user can send a specially crafted XML query statement, trigger resource exhaustion and perform a denial of service (DoS) attack.


36) Resource exhaustion (CVE-ID: CVE-2023-40374)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote user can send a specially crafted query statement, trigger resource exhaustion and perform a denial of service (DoS) attack.


37) Observable discrepancy (CVE-ID: CVE-2023-33850)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to timing-based side channel in the RSA Decryption implementation. A remote attacker can send an overly large number of trial messages for decryption and gain unauthorized access to sensitive information on the system.


38) Resource exhaustion (CVE-ID: CVE-2023-38720)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote user can send a specially crafted ALTER TABLE statement, trigger resource exhaustion and perform a denial of service (DoS) attack.


39) Resource exhaustion (CVE-ID: CVE-2023-30991)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can send a specially crafted query to the application, trigger resource exhaustion and perform a denial of service (DoS) attack.


40) SQL injection (CVE-ID: CVE-2023-38740)

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.


41) Resource exhaustion (CVE-ID: CVE-2023-38719)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack during database deactivation on DPF.


42) Resource exhaustion (CVE-ID: CVE-2023-30987)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


43) Input validation error (CVE-ID: CVE-2012-2677)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

Integer overflow in the ordered_malloc function in boost/pool/pool.hpp in Boost Pool before 3.9 makes it easier for context-dependent attackers to perform memory-related attacks such as buffer overflows via a large memory chunk size value, which causes less memory to be allocated than expected.


44) Input validation error (CVE-ID: CVE-2023-50308)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability occurs when a statement is run on columnar tables. A remote user can pass specially crafted input to the application and perform a denial of service (DoS) attack.


45) Buffer overflow (CVE-ID: CVE-2015-8395)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to PCRE mishandles certain references. A remote attacker can cause a denial of service or possibly have unspecified other impact via a crafted regular expression.


46) Resource exhaustion (CVE-ID: CVE-2023-46167)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when a specially crafted cursor is used. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


47) Resource exhaustion (CVE-ID: CVE-2023-45178)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion with a specially crafted request and perform a denial of service (DoS) attack.


48) Resource exhaustion (CVE-ID: CVE-2023-29258)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can send a specially crafted federated query on specific federation objects and perform a denial of service (DoS) attack.


49) Buffer overflow (CVE-ID: CVE-2015-8392)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to PCRE mishandles certain instances of the (?| substring. A remote attacker can cause a denial of service (unintended recursion and buffer overflow) or possibly have unspecified other impact via a crafted regular expression.


50) Integer overflow (CVE-ID: CVE-2020-14155)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer overflow. A remote attacker can pass a large number after a (?C substring, trigger integer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


51) Buffer overflow (CVE-ID: CVE-2015-2327)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to PCRE mishandles the /(((a2)|(a*)g<-1>))*/ pattern and related patterns with certain internal recursive back references. A remote attacker can cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression.


52) Data Handling (CVE-ID: CVE-2015-2328)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to PCRE mishandles the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion. A remote attacker can cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression.


53) Integer overflow (CVE-ID: CVE-2015-8394)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer overflow when processing the (?() and (?(R) conditions. A remote attacker can pass specially crafted data to the application, trigger integer overflow and execute arbitrary code on the target system.



54) Information disclosure (CVE-ID: CVE-2015-8393)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to pcregrep in PCRE mishandles the -q option for binary files. A remote attacker can gain unauthorized access to sensitive information on the system.


55) Resource exhaustion (CVE-ID: CVE-2023-43020)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote user can send a specially crafted query and perform a denial of service (DoS) attack.


56) Use of uninitialized resource (CVE-ID: CVE-2015-8390)

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to usage of uninitialized resources when processing the [: and \ substrings in character classes. A remote attacker can pass specially crafted data to the application, trigger uninitialized usage of resources and bypass implemented security mechanisms.


57) Buffer overflow (CVE-ID: CVE-2015-8391)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due pcre_compile function in pcre_compile.c in PCRE mishandles certain [: nesting. A remote attacker can cause a denial of service (CPU consumption) or possibly have unspecified other impact via a crafted regular expression.


58) Integer overflow (CVE-ID: CVE-2015-8387)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to PCRE mishandles (?123) subroutine calls and related subroutine calls. A remote attacker can cause a denial of service (integer overflow) or possibly have unspecified other impact via a crafted regular expression.


59) Buffer overflow (CVE-ID: CVE-2015-8385)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to PCRE mishandles the /(?|(k&#039;Pm&#039;)|(?&#039;Pm&#039;))/ pattern and related patterns with certain forward references. A remote attacker can create a specially crafted Office document, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.


60) Buffer overflow (CVE-ID: CVE-2015-8388)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to PCRE mishandles the /(?=di(?<=(?1))|(?=(.))))/ pattern and related patterns with an unmatched closing parenthesis. A remote attacker can cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression.


61) Buffer overflow (CVE-ID: CVE-2015-8386)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing regular expressions. A remote attacker can trigger memory corruption using a JavaScript RegExp object and execute arbitrary code on the target system.


62) Heap-based buffer overflow (CVE-ID: CVE-2015-8381)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in the compile_regex() function in pcre_compile.c in PCRE when handling related patterns with certain group references. A remote attacker can use a crafted regular expression to trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


63) Buffer overflow (CVE-ID: CVE-2015-8383)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to PCRE mishandles certain repeated conditional groups. A remote attacker can cause a denial of service (buffer overflow) or possibly have an unspecified other impact via a crafted regular expression.


64) Resource exhaustion (CVE-ID: CVE-2023-47701)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can send a specially crafted query, trigger resource exhaustion and perform a denial of service (DoS) attack.


65) Buffer overflow (CVE-ID: CVE-2018-25032)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input when compressing data. A remote attacker can pass specially crafted input to the application, trigger memory corruption and perform a denial of service (DoS) attack.


66) Resource exhaustion (CVE-ID: CVE-2023-45193)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability occurs when a specially crafted cursor is used. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


67) Input validation error (CVE-ID: CVE-2023-32731)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to insufficient validation of user-supplied input when parsing HTTP2 requests. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. This could lead to requests from the proxy being interpreted as containing headers from different proxy clients, leading to an information leak that can be used for privilege escalation or data exfiltration.


68) Input validation error (CVE-ID: CVE-2023-47141)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. An authenticated user with CONNECT privileges can pass specially crafted query to the application and perform a denial of service (DoS) attack.


69) Use of a broken or risky cryptographic algorithm (CVE-ID: CVE-2023-47152)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to insecure cryptographic algorithm and to information disclosure in stack trace under exceptional conditions A remote attacker can gain unauthorized access to sensitive information on the system.


70) Input validation error (CVE-ID: CVE-2023-47746)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote user with CONNECT privileges can pass specially crafted query to the application and perform a denial of service (DoS) attack.


71) Code Injection (CVE-ID: CVE-2023-27859)

The vulnerability allows a remote user to modify data on the system.

The vulnerability exists due to improper input validation. A remote user can install a malicious jar file that overwrites the existing like-named jar file in another database.


72) Input validation error (CVE-ID: CVE-2023-47747)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote user with CONNECT privileges can pass specially crafted query to the application and perform a denial of service (DoS) attack.


73) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-47145)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions. A local user can trigger the vulnerability to bypass security restrictions and escalate privileges to the SYSTEM user using the MSI repair functionality


74) Input validation error (CVE-ID: CVE-2023-47158)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote user with CONNECT privileges can pass specially crafted input to the application and perform a denial of service (DoS) attack.


75) Improper input validation (CVE-ID: CVE-2022-3510)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Policy (Google Protobuf-Java) component in Oracle Communications Cloud Native Core Policy. A remote non-authenticated attacker can exploit this vulnerability to perform a denial of service (DoS) attack.


76) Resource exhaustion (CVE-ID: CVE-2023-34462)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources if no idle timeout handler was configured. A remote attacker can send a client hello packet, which leads the server to buffer up to 16MB of data per connection and results in a denial of service condition.


77) Double Free (CVE-ID: CVE-2002-0059)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error. A remote attacker can pass specially crafted data to the application, trigger double free error and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


78) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2023-43642)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to missing upper bound check on chunk length. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


79) Input validation error (CVE-ID: CVE-2022-3509)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input when parsing textformat data. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.


80) Input validation error (CVE-ID: CVE-2022-3171)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input containing multiple instances of non-repeated embedded messages with repeated or unknown fields. A remote attacker can cause objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses.


81) Uncontrolled Recursion (CVE-ID: CVE-2023-1370)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to uncontrolled recursion when processing nested arrays and objects. A remote attacker can pass specially crafted JSON data to the application and perform a denial of service (DoS) attack.


82) Improper access control (CVE-ID: CVE-2023-38003)

The vulnerability allows a remote privileged user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote user with DATAACCESS privileges can execute routines that they should not have access to.


83) SQL injection (CVE-ID: CVE-2023-38727)

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.


84) Resource exhaustion (CVE-ID: CVE-2023-40687)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can send a specially crafted RUNSTATS command on an 8TB table and perform a denial of service (DoS) attack.


85) Resource exhaustion (CVE-ID: CVE-2023-40692)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources under extreme stress conditions. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


86) Heap-based buffer overflow (CVE-ID: CVE-2022-37434)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing a large gzip header within inflateGetHeader in inflate.c. A remote attacker can pass a specially crafted file to the affected application, trigger heap-based buffer overflow and execute arbitrary code on the target system.



Remediation

Install update from vendor's website.

References