Multiple vulnerabilities in IBM Software Support app
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 20 |
| CVE-ID | CVE-2024-28849 CVE-2024-29415 CVE-2023-42282 CVE-2024-41946 CVE-2024-41123 CVE-2024-39908 CVE-2024-43799 CVE-2024-37890 CVE-2024-39338 CVE-2023-26159 CVE-2024-41818 CVE-2024-43398 CVE-2024-35176 CVE-2023-38037 CVE-2024-43800 CVE-2024-4067 CVE-2024-28863 CVE-2024-4068 CVE-2020-36327 CVE-2021-43809 |
| CWE-ID | CWE-200 CWE-918 CWE-776 CWE-20 CWE-79 CWE-476 CWE-601 CWE-1333 CWE-400 CWE-312 CWE-185 CWE-789 CWE-345 CWE-88 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #2 is available. Public exploit code for vulnerability #13 is available. Public exploit code for vulnerability #17 is available. |
| Vulnerable software |
Software Support App (iOS) Other software / Other software solutions Software Support app (Android) Other software / Other software solutions |
| Vendor | IBM Corporation |
Security Bulletin
This security bulletin contains information about 20 vulnerabilities.
1) Information disclosure
EUVDB-ID: #VU87551
Risk: Low
CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-28849
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to credentials are shared via headers when following cross-domain redirects. A remote attacker can gain access to sensitive information.
Install update from vendor's website.
Vulnerable software versionsSoftware Support App (iOS): 1.0.0
Software Support app (Android): 1.0.0
CPE2.3- cpe:2.3:a:ibm_corporation:software_support_app_ios:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:software_support_app_android:1.0.0:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7184391
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Server-Side Request Forgery (SSRF)
EUVDB-ID: #VU95816
Risk: Medium
CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2024-29415
CWE-ID:
CWE-918 - Server-Side Request Forgery (SSRF)
Exploit availability: Yes
DescriptionThe disclosed vulnerability allows a remote attacker to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input within the isPublic() function when handling certain IP addresses, such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.
Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.
Note, the vulnerability exists due to incomplete fix for #VU86944 (CVE-2023-42282).
Install update from vendor's website.
Vulnerable software versionsSoftware Support App (iOS): 1.0.0
Software Support app (Android): 1.0.0
CPE2.3- cpe:2.3:a:ibm_corporation:software_support_app_ios:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:software_support_app_android:1.0.0:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7184391
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
3) Server-Side Request Forgery (SSRF)
EUVDB-ID: #VU86944
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-42282
CWE-ID:
CWE-918 - Server-Side Request Forgery (SSRF)
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input within the isPublic() function. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.
Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsSoftware Support App (iOS): 1.0.0
Software Support app (Android): 1.0.0
CPE2.3- cpe:2.3:a:ibm_corporation:software_support_app_ios:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:software_support_app_android:1.0.0:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7184391
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) XML Entity Expansion
EUVDB-ID: #VU95148
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-41946
CWE-ID:
CWE-776 - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation when parsing XML with SAX2 or pull parser API. A remote attacker can pass specially crafted XML data to the application and perform a denial of service attack.
Install update from vendor's website.
Vulnerable software versionsSoftware Support App (iOS): 1.0.0
Software Support app (Android): 1.0.0
CPE2.3- cpe:2.3:a:ibm_corporation:software_support_app_ios:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:software_support_app_android:1.0.0:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7184391
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Input validation error
EUVDB-ID: #VU95149
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-41123
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input when parsing characters such as a whitespace character, >] and ]>. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsSoftware Support App (iOS): 1.0.0
Software Support app (Android): 1.0.0
CPE2.3- cpe:2.3:a:ibm_corporation:software_support_app_ios:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:software_support_app_android:1.0.0:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7184391
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Input validation error
EUVDB-ID: #VU94363
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-39908
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied XML input. A remote attacker can pass specially crafted characters, such as "<", "\0" and "%>" to the application and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsSoftware Support App (iOS): 1.0.0
Software Support app (Android): 1.0.0
CPE2.3- cpe:2.3:a:ibm_corporation:software_support_app_ios:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:software_support_app_android:1.0.0:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7184391
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Cross-site scripting
EUVDB-ID: #VU97768
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-43799
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "SendStream.redirect()" function. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall update from vendor's website.
Vulnerable software versionsSoftware Support App (iOS): 1.0.0
Software Support app (Android): 1.0.0
CPE2.3- cpe:2.3:a:ibm_corporation:software_support_app_ios:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:software_support_app_android:1.0.0:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7184391
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) NULL pointer dereference
EUVDB-ID: #VU94329
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-37890
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error when handling requests with the number of headers that exceeds the "server.maxHeadersCount" value. A remote attacker can send a specially crafted request to the application and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsSoftware Support App (iOS): 1.0.0
Software Support app (Android): 1.0.0
CPE2.3- cpe:2.3:a:ibm_corporation:software_support_app_ios:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:software_support_app_android:1.0.0:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7184391
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Server-Side Request Forgery (SSRF)
EUVDB-ID: #VU96050
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-39338
CWE-ID:
CWE-918 - Server-Side Request Forgery (SSRF)
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.
Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsSoftware Support App (iOS): 1.0.0
Software Support app (Android): 1.0.0
CPE2.3- cpe:2.3:a:ibm_corporation:software_support_app_ios:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:software_support_app_android:1.0.0:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7184391
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Open redirect
EUVDB-ID: #VU85369
Risk: Low
CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-26159
CWE-ID:
CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to redirect victims to arbitrary URL.
The vulnerability exists due to improper sanitization of user-supplied data within the url.parse() function. A remote attacker can create a link that leads to a trusted website, however, when clicked, redirects the victim to arbitrary domain.
Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.
MitigationInstall update from vendor's website.
Vulnerable software versionsSoftware Support App (iOS): 1.0.0
Software Support app (Android): 1.0.0
CPE2.3- cpe:2.3:a:ibm_corporation:software_support_app_ios:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:software_support_app_android:1.0.0:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7184391
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Inefficient regular expression complexity
EUVDB-ID: #VU97478
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-41818
CWE-ID:
CWE-1333 - Inefficient Regular Expression Complexity
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation when processing untrusted input with a regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.
Install update from vendor's website.
Vulnerable software versionsSoftware Support App (iOS): 1.0.0
Software Support app (Android): 1.0.0
CPE2.3- cpe:2.3:a:ibm_corporation:software_support_app_ios:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:software_support_app_android:1.0.0:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7184391
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Resource exhaustion
EUVDB-ID: #VU96970
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-43398
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when parsing XML with multiple deep elements that have same local name attributes. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsSoftware Support App (iOS): 1.0.0
Software Support app (Android): 1.0.0
CPE2.3- cpe:2.3:a:ibm_corporation:software_support_app_ios:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:software_support_app_android:1.0.0:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7184391
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Input validation error
EUVDB-ID: #VU94361
Risk: Medium
CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2024-35176
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input when parsing XML that has multiple bracket character occurrences (e.g. "<") in an attribute value. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsSoftware Support App (iOS): 1.0.0
Software Support app (Android): 1.0.0
CPE2.3- cpe:2.3:a:ibm_corporation:software_support_app_ios:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:software_support_app_android:1.0.0:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7184391
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
14) Cleartext storage of sensitive information
EUVDB-ID: #VU79951
Risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-38037
CWE-ID:
CWE-312 - Cleartext Storage of Sensitive Information
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to software uses a temporary file for storing unencrypted files. A local user can gain access to sensitive information.
Install update from vendor's website.
Vulnerable software versionsSoftware Support App (iOS): 1.0.0
Software Support app (Android): 1.0.0
CPE2.3- cpe:2.3:a:ibm_corporation:software_support_app_ios:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:software_support_app_android:1.0.0:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7184391
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Cross-site scripting
EUVDB-ID: #VU98131
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-43800
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall update from vendor's website.
Vulnerable software versionsSoftware Support App (iOS): 1.0.0
Software Support app (Android): 1.0.0
CPE2.3- cpe:2.3:a:ibm_corporation:software_support_app_ios:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:software_support_app_android:1.0.0:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7184391
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) Incorrect Regular Expression
EUVDB-ID: #VU92406
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-4067
CWE-ID:
CWE-185 - Incorrect Regular Expression
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.
Install update from vendor's website.
Vulnerable software versionsSoftware Support App (iOS): 1.0.0
Software Support app (Android): 1.0.0
CPE2.3- cpe:2.3:a:ibm_corporation:software_support_app_ios:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:software_support_app_android:1.0.0:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7184391
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
17) Resource exhaustion
EUVDB-ID: #VU87734
Risk: Medium
CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2024-28863
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources while parsing a tar file. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsSoftware Support App (iOS): 1.0.0
Software Support app (Android): 1.0.0
CPE2.3- cpe:2.3:a:ibm_corporation:software_support_app_ios:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:software_support_app_android:1.0.0:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7184391
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
18) Uncontrolled Memory Allocation
EUVDB-ID: #VU92405
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-4068
CWE-ID:
CWE-789 - Uncontrolled Memory Allocation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to NPM package `braces` fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. A remote attacker can send "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
MitigationInstall update from vendor's website.
Vulnerable software versionsSoftware Support App (iOS): 1.0.0
Software Support app (Android): 1.0.0
CPE2.3- cpe:2.3:a:ibm_corporation:software_support_app_ios:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:software_support_app_android:1.0.0:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7184391
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
19) Insufficient verification of data authenticity
EUVDB-ID: #VU55666
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2020-36327
CWE-ID:
CWE-345 - Insufficient Verification of Data Authenticity
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insufficient verification of data authenticity in Bundler, when choosing a dependency source. The application selects a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application.
MitigationInstall update from vendor's website.
Vulnerable software versionsSoftware Support App (iOS): 1.0.0
Software Support app (Android): 1.0.0
CPE2.3- cpe:2.3:a:ibm_corporation:software_support_app_ios:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:software_support_app_android:1.0.0:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7184391
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
20) Improper Neutralization of Argument Delimiters in a Command
EUVDB-ID: #VU85298
Risk: Low
CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-43809
CWE-ID:
CWE-88 - Argument Injection or Modification
Exploit availability: No
DescriptionThe vulnerability allows a local user to execute arbitrary code on the target system.
The vulnerability occurs when working with untrusted and apparently harmless `Gemfile`'s. A local user can trick the victim into opening a specially crafted directory containing a `Gemfile` file that declares a dependency that is located in a Git repository and execute arbitrary code on the target system.
MitigationInstall update from vendor's website.
Vulnerable software versionsSoftware Support App (iOS): 1.0.0
Software Support app (Android): 1.0.0
CPE2.3- cpe:2.3:a:ibm_corporation:software_support_app_ios:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:software_support_app_android:1.0.0:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7184391
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
