Security bulletins and fixes

Stay informed about known security vulnerabilities and fixes for IBM Cloud Pak® for AIOps by subscribing to the security bulletins and by reviewing the list of fixed security-related vulnerabilities.

Security bulletins

Subscribe to IBM Cloud Pak for AIOps notifications by following these steps:

  1. Go to the IBM Support site Opens in a new tab.

  2. Scroll to the Support basics section. Then, click the Notification settings card.

  3. Log in to IBM with your IBM ID and password to continue.

  4. Enter IBM Cloud Pak for AIOps in the Product lookup field. Click Subscribe.

  5. In the Select document types page, select Security bulletin and Fixes > Security Vulnerability (Sec/Int). You can also select any other document types that you need to keep informed about.

  6. Click Submit.

  7. To configure how you receive notifications, click Delivery preferences in the banner at the beginning of the page. Edit your settings as needed.

Fixed security-related vulnerabilities in version 4.7.1

Review the following tables, which lists the fixed reported security-related vulnerabilities with IBM Cloud Pak for AIOps, and any included IBM or third-party software.

Table. Fixed Common Vulnerabilities and Exposures in Version 4.7.1
CVE-ID Issue Description
CVE-2021-35937 Opens in a new tab RPM Project RPM privilege escalation RPM Project RPM could allow a local authenticated attacker to gain elevated privileges on the system, caused by a TOCTOU race in checks for unsafe symlinks. An attacker could exploit this vulnerability to bypass the checks that were introduced in response to CVE-2017-7500 and CVE-2017-7501 and gain root privileges on the system.
CVE-2021-35938 Opens in a new tab RPM Project RPM privilege escalation RPM Project RPM could allow a local authenticated attacker to gain elevated privileges on the system, caused by a symbolic link when setting the desired permissions and credentials after installing a file. An attacker could exploit this vulnerability to exchange the original file with a symbolic link to a security-critical file and gain elevated privileges on the system.
CVE-2021-35939 Opens in a new tab RPM Project RPM privilege escalation RPM Project RPM could allow a local authenticated attacker to gain elevated privileges on the system, caused by the failure to perform checks for unsafe symlinks for intermediary directories. An attacker could exploit this vulnerability to gain root privileges on the system.
CVE-2021-46984 Opens in a new tab Linux Kernel information disclosure Linux Kernel could allow a local attacker to obtain sensitive information, caused by an out-of-bounds read flaw when preempted. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service condition.
CVE-2021-47097 Opens in a new tab Linux Kernel information disclosure Linux Kernel could allow a local authenticated attacker to obtain sensitive information, caused by an out-of-bounds read flaw in elantech_change_report_id(). By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service condition.
CVE-2021-47101 Opens in a new tab Linux Kernel information disclosure Linux Kernel could allow a local authenticated attacker to obtain sensitive information, caused by an uninit-value flaw in asix_mdio_read(). By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service condition.
CVE-2021-47287 Opens in a new tab
CVE-2021-47289 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a null pointer dereference in ACPI. A local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2021-47321 Opens in a new tab Linux kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a use-after-free in calling del_timer_sync() of watchdog. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2021-47338 Opens in a new tab
CVE-2021-47352 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by not properly validate the length of data provided by an untrusted device in the virtio-net driver. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2021-47383 Opens in a new tab Linux Kernel code execution Linux Kernel could allow a local authenticated attacker to execute arbitrary code on the system, caused by an out-of-bound vmalloc access flaw in imageblit. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVE-2021-47384 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference flaw when driver read tmp value sufficient for (tmp & 0x08) && (!(tmp & 0x80)) && ((tmp & 0x7) == ((tmp >> 4) & 0x7)) from device. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2021-47385 Opens in a new tab
CVE-2021-47386 Opens in a new tab
CVE-2021-47393 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a flaw with return non-zero value when fan current state is enforced from sysfs. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2021-47412 Opens in a new tab
CVE-2021-47432 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by an integer overflows related to the radix tree code. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2021-47441 Opens in a new tab Linux Kernel information disclosure Linux Kernel could allow a local authenticated attacker to obtain sensitive information, caused by an out-of-bounds memory accesses flaw when thermal state transition statistics are enabled (CONFIG_THERMAL_STATISTICS=y). By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service condition.
CVE-2021-47497 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a shift-out-of-bound (UBSAN) flaw with byte size cells. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2022-48619 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a flaw in the input_set_capability() function when an event code is outside the bitmap. By sending a specially crafted request, a local attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2022-48754 Opens in a new tab
CVE-2022-48760 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a flaw related to memory-access ordering on SMP systems. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2022-48804 Opens in a new tab Linux Kernel information disclosure Linux Kernel could allow a local authenticated attacker to obtain sensitive information, caused by a transient integer underflow in the array_index_nospec function. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service condition.
CVE-2022-48836 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a wrong endpoint type issue in the usb_submit_urb() function. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2022-48866 Opens in a new tab
CVE-2023-5981 Opens in a new tab GNU GnuTLS information disclosure GNU GnuTLS could allow a remote attacker to obtain sensitive information, caused by a timing sidechannel issue during RSA-PSK key exchange. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVE-2023-6004 Opens in a new tab libssh command execution libssh could allow a local authenticated attacker to execute arbitrary commands on the system, caused by a flaw in the ProxyCommand handling. By sending a specially crafted request using hostname in expanded proxycommand, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
CVE-2023-6040 Opens in a new tab Linux Kernel code execution Linux Kernel could allow a local authenticated attacker to execute arbitrary code on the system, caused by an out-of-bounds access flaw during the creation of a new netfilter table. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVE-2023-6918 Opens in a new tab libssh denial of service libssh is vulnerable to a denial of service, caused by an unchecked return value flaw for the abstract layer for message digest (MD) operations. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2023-7008 Opens in a new tab systemd man-in-the-middle systemd is vulnerable to a man-in-the-middle attack, caused by a flaw with able to accept records of DNSSEC-signed domains even when they have no signature. An attacker could exploit this vulnerability to launch a man-in-the-middle attack and gain access to the communication channel between endpoints to manipulate records.
CVE-2023-7104 Opens in a new tab SQLite SQLite3 buffer overflow SQLite SQLite3 is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the sessionReadRecord function in ext/session/sqlite3session.c. By sending a specially crafted request, a remote authenticated attacker could overflow a buffer and execute arbitrary code on the system.
CVE-2023-28322 Opens in a new tab cURL libcurl security bypass cURL libcurl could allow a remote attacker to bypass security restrictions, caused by a flaw in the logic for a reused handle when it is (expected to be) changed from a PUT to a POST.. By sending a specially crafted request, an attacker could exploit this vulnerability to cause application to misbehave and either send off the wrong data or use memory after free or similar in the second transfer.
CVE-2023-38546 Opens in a new tab cURL libcurl security bypass cURL libcurl could allow a remote attacker to bypass security restrictions, caused by a flaw in the curl_easy_duphandle function if a transfer has cookies enabled when the handle is duplicated. By sending a specially crafted request, an attacker could exploit this vulnerability to insert cookies at will into a running program.
CVE-2023-39326 Opens in a new tab Golang Go information disclosure Golang Go could allow a remote attacker to obtain sensitive information, caused by a flaw in the net/http package. By sending a specially crafted HTTP request, an attacker could exploit this vulnerability to read many more bytes from the network than are in the body, and use this information to launch further attacks against the affected system.
CVE-2023-45284 Opens in a new tab Golang Go weak security Golang Go could provide weaker than expected security, caused by the failure to correctly detect reserved device names in some cases by the IsLocal function in the filepath package. An attacker could exploit this vulnerability to report "COM1", and reserved names "COM" and "LPT" followed by superscript 1, 2, or 3 as local.
CVE-2023-46218 Opens in a new tab cURL libcurl security bypass cURL libcurl could allow a remote attacker to bypass security restrictions, caused by a mixed case flaw when curl is built without PSL support. By sending a specially crafted request, an attacker could exploit this vulnerability to allow a HTTP server to set "super cookies" in curl.
CVE-2023-52428 Opens in a new tab Connect2id Nimbus-JOSE-JWT denial of service Connect2id Nimbus-JOSE-JWT is vulnerable to a denial of service, caused by improper validation of user requests by the PasswordBasedDecrypter (PBKDF2) component. By sending a specially crafted request using a large JWE p2c header, a remote attacker could exploit this vulnerability to cause a denial of service.
CVE-2023-52470 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference in radeon_crtc_init(). A local attacker could exploit this vulnerability to cause a denial of service.
CVE-2023-52476 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a panic can occur when a vsyscall is made while LBR sampling is active. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2023-52478 Opens in a new tab Linux Kernel information disclosure Linux Kernel could allow a local authenticated attacker to obtain sensitive information, caused by a race condition in the hidpp_connect_event() function. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information or crash the system.
CVE-2023-52522 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a flaw in neigh_periodic_work() function. A local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2023-52605 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference check. A local attacker could exploit this vulnerability to cause a denial of service.
CVE-2023-52683 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a overflow in the lpit_update_residency() function. A local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2023-52817 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference when the smc_rreg pointer is NULL. An attacker could exploit this vulnerability to cause a denial of service.
CVE-2023-52840 Opens in a new tab Input: synaptics-rmi4 - fix use after free in rmi_unregister_function() In the Linux kernel, the following vulnerability has been resolved: Input: synaptics-rmi4 - fix use after free in rmi_unregister_function() The put_device() calls rmi_release_function() which frees "fn" so the dereference on the next line "fn->num_of_irqs" is a use after free. Move the put_device() to the end to fix this.
CVE-2024-0553 Opens in a new tab GnuTLS information disclosure GnuTLS could allow a remote attacker to obtain sensitive information. By perform a timing side-channel attack in the RSA-PSK key exchange, a remote attacker could exploit this vulnerability to obtain sensitive information.
CVE-2024-1737 Opens in a new tab ISC BIND denial of service ISC BIND is vulnerable to a denial of service, caused by an error when content is being added or updated in resolver caches and authoritative zone databases that hold significant numbers of RRs for the same hostname (of any RTYPE). By processing queries, a remote attacker could exploit this vulnerability to cause the database to slow down.
CVE-2024-1975 Opens in a new tab ISC BIND denial of service ISC BIND is vulnerable to a denial of service, caused by an error if a server hosts a zone containing a "KEY" Resource Record, or a resolver DNSSEC-validates a "KEY" Resource Record from a DNSSEC-signed domain in cache. By sending a stream of SIG(0) signed requests, a remote attacker could exploit this vulnerability to exhaust all available CPU resources.
CVE-2024-2961 Opens in a new tab GNU C Library code execution GNU C Library could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds write in the ISO-2022-CN-EXT plugin. By sending specially crafted input, an attacker could exploit this vulnerability to overwrite critical data structures and execute arbitrary code on the system or cause the application to crash.
CVE-2024-5742 Opens in a new tab GNU Nano privilege escalation GNU Nano could allow a local authenticated attacker to gain elevated privileges on the system. By using an insecure temporary file, an attacker could exploit this vulnerability to escalate privileges through a malicious symlink.
CVE-2024-6119 Opens in a new tab OpenSSL denial of service OpenSSL is vulnerable to a denial of service, caused by an error when performing certificate name checks (e.g., TLS clients checking server certificates). By sending a specially crafted request, a remote attacker could exploit this vulnerability to read an invalid memory address resulting in abnormal termination of the application process.
CVE-2024-8260 Opens in a new tab Styra Open Policy Agent (OPA) seurity bypass Styra Open Policy Agent (OPA) could allow a local authenticated attacker to bypass security restrictions, caused by a SMB force-authentication . By sending a specially crafted request, an attacker could exploit this vulnerability to pass an arbitrary SMB share instead of a Rego file as an argument to OPA CLI or to one of the OPA Go library’s functions.
CVE-2024-21529 Opens in a new tab Node.js dset module code execution Node.js dset module could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw in the dset function. By adding or modifying properties of Object.prototype using a proto or constructor payload, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.
CVE-2024-21534 Opens in a new tab CVE-2024-21534 Versions of the package jsonpath-plus before 10.0.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node. Note: The unsafe behavior is still available after applying the fix but it is not turned on by default.
CVE-2024-22020 Opens in a new tab Node.js code execution Node.js could allow a remote attacker to execute arbitrary code on the system. By embedding non-network imports in data URLs, an attacker could exploit this vulnerability to bypass network import restrictions and execute arbitrary code on the system.
CVE-2024-23848 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a use-after-free in cec_queue_msg_fh. A local attacker could exploit this vulnerability to cause the system to crash.
CVE-2024-25062 Opens in a new tab GNOME libxml2 denial of service GNOME libxml2 is vulnerable to a denial of service, caused by a use-after-free flaw in the xmlValidatePopElement() function. By persuading a victim to open a specially crafted content, a remote attacker could exploit this vulnerability to cause the application to crash.
CVE-2024-25710 Opens in a new tab Apache Commons Compress denial of service Apache Commons Compress is vulnerable to a denial of service, caused by an infinite loop flaw. By persuading a victim to open a specially crafted DUMP file, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2024-26308 Opens in a new tab Apache Commons Compress denial of service Apache Commons Compress is vulnerable to a denial of service, caused by an out of memory error. By persuading a victim to open a specially crafted Pack200 file, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2024-26595 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference in error path. A local attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-26600 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference for SRP. A local attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-26645 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by the lack of visibility when inserting an element into tracing_map. A local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-26649 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference when load rlc firmware. A local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-26665 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service caused by out-of-bounds access when building IPv6 PMTU. By sending a specially crafted request, a remote attacker could exploit this vulnerability to a denial of service condition.
CVE-2024-26717 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference flaw in the i2c-hid-of of HID. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2024-26720 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by divide-by-zero in Wb_dirty_limits(),. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-26769 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a deadlock flaw on delete association path. By ending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2024-26855 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference in ice_bridge_setlink() of net: ice. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to a denial of service condition.
CVE-2024-26880 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a flaw when caling the resume method. By ending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2024-26894 Opens in a new tab Linux Kernel information disclosure Linux Kernel could allow a local authenticated attacker to obtain sensitive information, caused by a memory leak in the acpi_processor_power_exit() function. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service condition.
CVE-2024-26923 Opens in a new tab Linux Kernel code execution Linux Kernel could allow a local authenticated attacker to execute arbitrary code on the system, caused by a garbage collector racing flaw against connect(). By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVE-2024-26939 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a flaw with attempting to free a still active i915 VMA object when parking a GT believed to be idle. By ending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2024-27013 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a flaw when illegal packet received by tun dev. By ending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2024-27042 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by an out-of-bounds access flaw in drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2024-28182 Opens in a new tab nghttp2 denial of service nghttp2 is vulnerable to a denial of service, caused by a memory exhaustion flaw due to flood of CONTINUATION frames in the HTTP/2 protocol stack. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause excessive CPU usage, and results in a denial of service condition.
CVE-2024-28834 Opens in a new tab GnuTLS information disclosure GnuTLS could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw in the ECDSA code. By utilize Minerva attack techniques, an attacker could exploit this vulnerability to obtain private key information, and use this information to launch further attacks against the affected system.
CVE-2024-29131 Opens in a new tab Apache Commons Configuration code execution Apache Commons Configuration could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds write vulnerability. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVE-2024-29133 Opens in a new tab Apache Commons Configuration code execution Apache Commons Configuration could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds write vulnerability. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVE-2024-33599 Opens in a new tab glibc netgroup cache buffer overflow glibc is vulnerable to a stack-based buffer overflow, caused by improper bounds checking when the Name Service Cache Daemon's (nscd) fixed size cache is exhausted by client requests. By sending a subsequent client request, a remote attacker could exploit this vulnerability to overflow a buffer and execute arbitrary code on the system.
CVE-2024-33600 Opens in a new tab glibc netgroup cache denial of service glibc is vulnerable to a denial of service, caused by a NULL pointer dereference when the Name Service Cache Daemon's (nscd) cache fails to add a not-found netgroup response to the cache. A remote attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-33601 Opens in a new tab glibc netgroup cache denial of service glibc is vulnerable to a denial of service, caused by a memory allocation failure when the Name Service Cache Daemon's (nscd) netgroup cache uses the xmalloc or xrealloc functions. A local attacker could exploit this vulnerability to terminate the daemon.
CVE-2024-33602 Opens in a new tab glibc netgroup cache denial of service glibc is vulnerable to a denial of service, caused by a memory corruption by the Name Service Cache Daemon's (nscd) netgroup cache when the NSS callback fails to store all strings in the provided buffer. A local attacker could exploit this vulnerability to corrupt memory and cause a denial of service.
CVE-2024-35809 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by drain runtime-idle callbacks before driver removal. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-35877 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a flaw in VM_PAT Handling In COW Mappings. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-35884 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a flaw in Udp. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-35944 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a memcpy() Run-Time Warning yn Dg_dispatch_as_host(). By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-35989 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a Kernel oops flaw during rmmod on single-CPU platforms. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2024-36883 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by an out-of-bounds access in ops_init. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-36901 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a NULL sereference in Ip6_output(). By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-36902 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a NULL dereference In Fib6_rule_action(). By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-36920 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a flaw in scsi: mpi3mr. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-36939 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a flaw with handle error of rpc_proc_register() in nfs_net_init(). By ending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2024-36953 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a flaw with not handling gracefully when check for non-NULL vCPU in vgic_v2_parse_attr(). By ending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2024-37356 Opens in a new tab Linux Kernel code execution Linux Kernel could allow a local authenticated attacker to execute arbitrary code on the system, caused by a shift-out-of-bounds in dctcp_update_alpha(). By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVE-2024-38558 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a flaw with overwriting ct original tuple for ICMPv6. By ending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2024-38559 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by an out-of-bounds read flaw when using kstrtouint. By ending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2024-38570 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by Glock Use-After-Free on Unmount. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-38581 Opens in a new tab Linux Kernel code execution Linux Kernel could allow a local authenticated attacker to execute arbitrary code on the system, caused by a use-after-free in drivers/gpu/drm/amd/amdgpu/amdgpu_mes.c. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVE-2024-38619 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a flaw in Usb-Storage: Alauda. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-38809 Opens in a new tab VMware Tanzu Spring Framework denial of service VMware Tanzu Spring Framework is vulnerable to a denial of service, caused by improper input validation. By sending a specially crafted HTTP request containing ETags from "If-Match" or "If-None-Match" request headers, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2024-38816 Opens in a new tab VMware Tanzu Spring Security information disclosure VMware Tanzu Spring Security could allow a remote attacker to obtain sensitive information, caused by a path traversal attack in applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn. By sending specially crafted HTTP requests, an attacker could exploit this vulnerability to obtain any file on the file system that is also accessible to the process in which the Spring application is running.
CVE-2024-39331 Opens in a new tab GNU Emacs code execution GNU Emacs could allow a remote attacker to execute arbitrary code on the system, caused by a code injection flaw in org-link-expand-abbrev in lisp/ol.el. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVE-2024-39471 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by an out-of-bounds read in sdma_v4_0.c. A local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-39499 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by speculation leaks by sanitizing event in event_deliver() of vmci_event.c . A local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-39501 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a race condition in core.c. A local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-39506 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer handling path in lio_vf_rep_copy_packet In lio_vf_rep_copy_packet(). A local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-39705 Opens in a new tab Natural Language Toolkit (NLTK) code execution Natural Language Toolkit (NLTK) could allow a remote attacker to execute arbitrary code on the system, caused by a flaw when an untrusted packages have pickled Python code, and the integrated data package download functionality is used. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVE-2024-40901 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by out-of-bounds access when using test_bit() in mpt3sas_base.c. A local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-40904 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by CPU lockup due to excessive log messages. A local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-40911 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference in util.c. A local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-40912 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by deadlock in ieee80211_sta_ps_deliver_wakeup() in sta_info.c. A local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-40929 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by an out-of-bound access in iwlwifi/mvm/scan.c. A local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-40931 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a flaw in Mptcp. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-40941 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a flaw in iwlwifi/mvm/fw.c . A local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-40954 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a use-after-free in sock.c . A local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-40958 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a use-after-free in net_namespace.c. A local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-40959 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a Null pointer dereference xfrm6_get_saddr() ip6_dst_idev(). A local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-40960 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a NULL Dereference in Rt6_probe(). By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-40972 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a flaw in ext4. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-40977 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by potential Hung Tasks During Chip Recovery in Wifi: Mt76: Mt7921. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-40978 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a flaw in Scsi: Qedi. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-40988 Opens in a new tab drm/radeon: fix UBSAN warning in kv_dpm.c In the Linux kernel, the following vulnerability has been resolved: drm/radeon: fix UBSAN warning in kv_dpm.c Adds bounds check for sumo_vid_mapping_entry.
CVE-2024-40989 Opens in a new tab KVM: arm64: Disassociate vcpus from redistributor region on teardown In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Disassociate vcpus from redistributor region on teardown When tearing down a redistributor region, make sure we don't have any dangling pointer to that region stored in a vcpu.
CVE-2024-40995 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by an infinite loop in Tcf_idr_check_alloc(). By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-40997 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a memory leak on CPU EPP Exit. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-40998 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by uninitialized Ratelimit_state->Lock Access in __ext4_fill_super(). By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-41005 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a race condition in netpoll_owner_active. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2024-41007 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a flaw in Tcp. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-41008 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a flaw in the handling and lifecycle of vm->task_info object. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2024-41012 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by improper locking flaw when fcntl/close race is detected. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2024-41013 Opens in a new tab Linux Kernel information disclosure Linux Kernel could allow a local authenticated attacker to obtain sensitive information, caused by an out-of-bound read flaw when accessing the fixed members. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service condition.
CVE-2024-41014 Opens in a new tab Linux Kernel information disclosure Linux Kernel could allow a local authenticated attacker to obtain sensitive information, caused by the lack of verification of the space occupied by fixed members of xlog_op_header in the xlog_recover_process_data.. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service condition.
CVE-2024-41023 Opens in a new tab Linux Kernel information disclosure Linux Kernel could allow a local authenticated attacker to obtain sensitive information, caused by a task_struct reference leak flaw. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service condition.
CVE-2024-41035 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a duplicate endpoint bug in the usb_parse_endpoint() function. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2024-41038 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a buffer overrun when processing V2 alg headers. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2024-41039 Opens in a new tab Linux Kernel buffer overflow Linux Kernel is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the wmfw header. By sending a specially crafted request, a local authenticated attacker could overflow a buffer and execute arbitrary code on the system.
CVE-2024-41040 Opens in a new tab Linux Kernel code execution Linux Kernel could allow a local authenticated attacker to execute arbitrary code on the system, caused by a use-after-free flaw when resolving a clash. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVE-2024-41041 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a flaw related to set SOCK_RCU_FREE earlier in udp_lib_get_port(). By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2024-41044 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by an error related to ppp_async_encode() in ppp_generic.c. A local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-41055 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by Null pointer dereference in mmzone.h. A local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-41056 Opens in a new tab firmware: cs_dsp: Use strnlen() on name fields in V1 wmfw files In the Linux kernel, the following vulnerability has been resolved: firmware: cs_dsp: Use strnlen() on name fields in V1 wmfw files Use strnlen() instead of strlen() on the algorithm and coefficient name string arrays in V1 wmfw files. In V1 wmfw files the name is a NUL-terminated string in a fixed-size array. cs_dsp should protect against overrunning the array if the NUL terminator is missing.
CVE-2024-41060 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by Null pointer dereference in radeon_gem.c. A local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-41064 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a flaw in Powerpc/Eeh. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-41071 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a flaw in Wifi: Mac80211. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-41076 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a flaw in NFSv4. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-41090 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by missing check against the validity of the frame length in the tap_get_user_xdp() path. By sending a specially crafted request, a local attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2024-41091 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by missing check against the validity of the frame length in the tun_xdp_one() path. By sending a specially crafted request, a local attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2024-41097 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a flaw in Usb: Atm: Cxacru. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-41110 Opens in a new tab Moby authz zero length regression Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low. Using a specially-crafted API request, an Engine API client could make the daemon forward the request or response to an authorization plugin without the body. In certain circumstances, the authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it. A security issue was discovered In 2018, where an attacker could bypass AuthZ plugins using a specially crafted API request.
CVE-2024-41128 Opens in a new tab Action Dispatch has possible ReDoS vulnerability in query parameter filtering Action Pack is a framework for handling and responding to web requests. Starting in version 3.1.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the query parameter filtering routines of Action Dispatch. Carefully crafted query parameters can cause query parameter filtering to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade to version 6.1.7.9, 7.0.8.
CVE-2024-42084 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a flaw in ftruncate. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-42090 Opens in a new tab Linux Kernel denial of service pinctrl: fix deadlock in create_pinctrl() when handling -EPROBE_DEFER Linux Kernel is vulnerable to a denial of service, caused by deadlock in create_pinctrl() when handling -EPROBE_DEFER. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-42094 Opens in a new tab
CVE-2024-42096 Opens in a new tab
CVE-2024-42114 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a lack of proper range validation by NL80211_ATTR_TXQ_QUANTUM in nl80211.c. A local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-42124 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a flaw in Scsi: Qedf. A local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-42131 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by integer overflow in dirty throttling logic. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2024-42152 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by memory leak in nvmet. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2024-42154 Opens in a new tab Linux Kernel information disclosure Linux Kernel information disclosure
CVE-2024-42228 Opens in a new tab Linux Kernel code execution Linux Kernel could allow a local authenticated attacker to execute arbitrary code on the system, caused by reusing uninitialized data when calling amdgpu_vce_cs_reloc in drm/amdgpu. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system or or cause a denial of service condition..
CVE-2024-42237 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by improperly validating payload length in cs_dsp_load() and cs_dsp_coeff_load(). By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2024-42238 Opens in a new tab Linux Kernel buffer overflow Linux Kernel is vulnerable to a buffer overflow, caused by improper bounds checking in cs_dsp_power_up(). By sending a specially crafted request, a remote attacker could overflow to cause a denial of service.
CVE-2024-42240 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by infinite loop in x86/bhi. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2024-42246 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by connection failure in xs_tcp_setup_socket. A local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-42265 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by the failure to protect the fetch of ->fd[fd] in do_dup2() from mispredictions. A local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-42322 Opens in a new tab
CVE-2024-43788 Opens in a new tab Webpack and Rspack cross-site scripting Webpack and Rspack are vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
CVE-2024-43798 Opens in a new tab Chisel AUTH environment variable not respected in server entrypoint Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH. The Chisel server doesn't ever read the documented AUTH environment variable used to set credentials, which allows any unauthenticated user to connect, even if credentials were set. Anyone running the Chisel server that is using the AUTH environment variable to specify credentials to authenticate against is affected by this vulnerability. Chisel is often used to provide an entrypoint to a private network, which means services that are gated by Chisel may be affected. Additionally, Chisel is often used for exposing services to the internet. An attacker could MITM requests by connecting to a Chisel server and requesting to forward traffic from a remote port. This issue has been addressed in release version 1.10.0.
CVE-2024-43830 Opens in a new tab
CVE-2024-43871 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a memory leakage when using driver API devm_free_percpu(). By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2024-45614 Opens in a new tab Puma HTTP request smuggling Puma is vulnerable to HTTP request smuggling, caused by improper parsing of the HTTP X-Forwarded-For header. By sending a specially crafted HTTP(S) X-Forwarded-For header, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVE-2024-45801 Opens in a new tab DOMPurify code execution DOMPurify could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw in depth check. By adding or modifying properties of Object.prototype using a proto or constructor payload, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.
CVE-2024-47875 Opens in a new tab
CVE-2024-47887 Opens in a new tab rails denial of service railsis vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in HTTP Token authentication in Action Controller. By sending a specially crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2024-47888 Opens in a new tab rails denial of service Action Text brings rich text content and editing to Rails. Starting in version 6.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the plain_text_for_blockquote_node helper in Action Text. Carefully crafted text can cause the plain_text_for_blockquote_node helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade to versions 6.1.7.9, 7.0.8.5, 7.
CVE-2024-47889 Opens in a new tab rails denial of service railsis vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in block_format in Action Mailer. By sending a specially crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service condition.

Fixed security-related vulnerabilities in previous versions

Review the following documentation, which includes the list of fixed reported security-related vulnerabilities in previous versions of IBM Cloud Pak for AIOps: