Security Bulletin: IBM Cognos Dashboards on Cloud Pak for Data has addressed security vulnerabilities

Vulnerability Details

CVEID:   CVE-2024-2398
DESCRIPTION:   cURL libcurl is vulnerable to a denial of service, caused by a memory leak when allowing HTTP/2 server push. By sending a specially crafted PUSH_PROMISE frames with an excessive amount of headers, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CWE:   CWE-401: Missing Release of Memory after Effective Lifetime
CVSS Source:   IBM X-Force
CVSS Base score:   5.3
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:   CVE-2024-7264
DESCRIPTION:   cURL libcurl could allow a local attacker to obtain sensitive information, caused by an out-of-bounds read flaw in the the GTime2str() function. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information or cause the application to crash.
CWE:   CWE-125: Out-of-bounds Read
CVSS Source:   IBM X-Force
CVSS Base score:   3.6
CVSS Vector:   (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:L)

CVEID:   CVE-2024-25638
DESCRIPTION:   dnsjava could allow a remote attacker to bypass security restrictions, caused by improper response validation. By sending a specially crafted request, an attacker could exploit this vulnerability to perform DNSSEC bypass.
CWE:   CWE-345: Insufficient Verification of Data Authenticity
CVSS Source:   IBM X-Force
CVSS Base score:   8.9
CVSS Vector:   (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L)

CVEID:   CVE-2023-52425
DESCRIPTION:   libexpat is vulnerable to a denial of service, caused by improper system resource allocation. By sending a specially crafted request using an overly large token, a remote attacker could exploit this vulnerability to cause a denial of service.
CWE:   CWE-400: Uncontrolled Resource Consumption
CVSS Source:   IBM X-Force
CVSS Base score:   7.5
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2024-28757
DESCRIPTION:   libexpat could allow a remote attacker to obtain sensitive information, caused by improper handling of XML external entity (XXE) declarations by the XML_ExternalEntityParserCreate function. By using a specially crafted XML content, a remote attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CWE:   CWE-611: Improper Restriction of XML External Entity Reference
CVSS Source:   IBM X-Force
CVSS Base score:   7.5
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:   CVE-2023-52426
DESCRIPTION:   libexpat is vulnerable to a denial of service, caused by an XML entity expansion flaw if XML_DTD is undefined at compile time. By compiling specially crafted XML input, a local attacker could exploit this vulnerability to cause a denial of service.
CWE:   CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
CVSS Source:   IBM X-Force
CVSS Base score:   5.1
CVSS Vector:   (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2024-38372
DESCRIPTION:   Node.js undici could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw when using the response.arrayBuffer() function. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CWE:   CWE-201: Insertion of Sensitive Information Into Sent Data
CVSS Source:   GitHub
CVSS Base score:   2
CVSS Vector:   (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N)

CVEID:   CVE-2024-39338
DESCRIPTION:   Axios is vulnerable to server-side request forgery, caused by a flaw with requests for path relative URLs get processed as protocol relative URLs. By sending a specially crafted request, an attacker could exploit this vulnerability to conduct SSRF attack.
CWE:   CWE-918: Server-Side Request Forgery (SSRF)
CVSS Source:   IBM X-Force
CVSS Base score:   7.5
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:   CVE-2024-28849
DESCRIPTION:   Node.js follow-redirects module could allow a remote authenticated attacker to obtain sensitive information, caused by the leakage of credentials when clearing authorization header during cross-domain redirect, but keeping the proxy-authentication header. An attacker could exploit this vulnerability to obtain credentials and other sensitive information.
CWE:   CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CVSS Source:   IBM X-Force
CVSS Base score:   6.5
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

CVEID:   CVE-2024-38999
DESCRIPTION:   jrburke requirejs could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution in the function s.contexts._.configure. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service.
CWE:   CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVSS Source:   IBM X-Force
CVSS Base score:   9.8
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:   CVE-2024-38998
DESCRIPTION:   jrburke requirejs could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution in the function config. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service.
CWE:   CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVSS Source:   IBM X-Force
CVSS Base score:   9.8
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:   CVE-2024-41110
DESCRIPTION:   Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low. Using a specially-crafted API request, an Engine API client could make the daemon forward the request or response to an authorization plugin without the body. In certain circumstances, the authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it. A security issue was discovered In 2018, where an attacker could bypass AuthZ plugins using a specially crafted API request.
CWE:   CWE-863: Incorrect Authorization
CVSS Source:   CVE.org
CVSS Base score:   9.9
CVSS Vector:   (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

CVEID:   CVE-2024-25710
DESCRIPTION:   Apache Commons Compress is vulnerable to a denial of service, caused by an infinite loop flaw. By persuading a victim to open a specially crafted DUMP file, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CWE:   CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')
CVSS Source:   IBM X-Force
CVSS Base score:   5.5
CVSS Vector:   (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID:   CVE-2023-37920
DESCRIPTION:   An unspecified error with the removal of e-Tugra root certificate in Certifi has an unknown impact and attack vector.
CWE:   CWE-345: Insufficient Verification of Data Authenticity
CVSS Source:   IBM X-Force
CVSS Base score:   7.5
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID:   CVE-2022-23491
DESCRIPTION:   An unspecified error in with TrustCor's ownership also operated a business that produced spyware in Certifi has an unknown impact and attack vector.
CWE:   CWE-345: Insufficient Verification of Data Authenticity
CVSS Source:   IBM X-Force
CVSS Base score:   6.8
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N)

CVEID:   CVE-2024-41818
DESCRIPTION:   Natural Intelligence fast-xml-parser is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the currency.js script. By sending a specially crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CWE:   CWE-1333: Inefficient Regular Expression Complexity
CVSS Source:   CVE.org
CVSS Base score:   7.5
CVSS Vector:   (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2024-43796
DESCRIPTION:   expressjs express is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
CWE:   CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS Source:   IBM X-Force
CVSS Base score:   5
CVSS Vector:   (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L)

CVEID:   CVE-2024-41755
DESCRIPTION:   IBM Cognos Dashboards on Cloud Pak for Data could allow a remote attacker to perform unauthorized actions due to dependency confusion.
CWE:   CWE-427: Uncontrolled Search Path Element
CVSS Source:   IBM X-Force
CVSS Base score:   8.8
CVSS Vector:   (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

CVEID:   CVE-2024-42461
DESCRIPTION:   Node.js Elliptic module could allow a remote attacker to obtain sensitive information, caused by a flaw with BER-encoded signatures are allowed. By utilizing cryptographic attack techniques, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CWE:   CWE-295: Improper Certificate Validation
CVSS Source:   IBM X-Force
CVSS Base score:   5.3
CVSS Vector:   (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:   CVE-2024-42460
DESCRIPTION:   Node.js Elliptic module could allow a remote attacker to obtain sensitive information, caused by missing check for whether the leading bit of r and s is zero. By utilizing cryptographic attack techniques, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CWE:   CWE-295: Improper Certificate Validation
CVSS Source:   IBM X-Force
CVSS Base score:   5.3
CVSS Vector:   (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:   CVE-2024-42459
DESCRIPTION:   Node.js Elliptic module could allow a remote attacker to obtain sensitive information, caused by missing signature length check. By utilizing cryptographic attack techniques, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CWE:   CWE-295: Improper Certificate Validation
CVSS Source:   IBM X-Force
CVSS Base score:   5.3
CVSS Vector:   (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:   CVE-2024-4067
DESCRIPTION:   Node.js micromatch module is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in micromatch.braces() in index.js. By sending a specially crafted payload, a remote attacker could exploit this vulnerability to increase the consumption time until the application hangs or slows down.
CWE:   CWE-1333: Inefficient Regular Expression Complexity
CVSS Source:   CVE.org
CVSS Base score:   5.3
CVSS Vector:   (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:   CVE-2023-52428
DESCRIPTION:   Connect2id Nimbus-JOSE-JWT is vulnerable to a denial of service, caused by improper validation of user requests by the PasswordBasedDecrypter (PBKDF2) component. By sending a specially crafted request using a large JWE p2c header, a remote attacker could exploit this vulnerability to cause a denial of service.
CWE:   CWE-20: Improper Input Validation
CVSS Source:   IBM X-Force
CVSS Base score:   7.5
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2024-29131
DESCRIPTION:   Apache Commons Configuration could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds write vulnerability. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CWE:   CWE-787: Out-of-bounds Write
CVSS Source:   IBM X-Force
CVSS Base score:   7.3
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:   CVE-2024-29133
DESCRIPTION:   Apache Commons Configuration could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds write vulnerability. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CWE:   CWE-787: Out-of-bounds Write
CVSS Source:   IBM X-Force
CVSS Base score:   7.3
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:   CVE-2024-37890
DESCRIPTION:   Node.js ws module is vulnerable to a denial of service, caused by a NULL pointer dereference. By sending a specially crafted request with multiple HTTP headers, a remote attacker could exploit this vulnerability to cause the server to crash.
CWE:   CWE-476: NULL Pointer Dereference
CVSS Source:   IBM X-Force
CVSS Base score:   7.5
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2024-38986
DESCRIPTION:   Deep-merge could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw in the merge methods of lodash to merge objects. By adding or modifying properties of Object.prototype using a __proto__ or constructor payload, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.
CWE:   CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVSS Source:   IBM X-Force
CVSS Base score:   9.8
CVSS Vector:   (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:   CVE-2023-23612
DESCRIPTION:   OpenSearch could allow a remote authenticated attacker to bypass security restrictions, caused by a flaw in with whitespace in JWT roles. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass authentication and obtain access.
CWE:   CWE-287: Improper Authentication
CVSS Source:   IBM X-Force
CVSS Base score:   4.7
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L)

CVEID:   CVE-2023-23613
DESCRIPTION:   OpenSearch could allow a remote authenticated attacker to obtain sensitive information, caused by the insertion of sensitive information into metadata. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CWE:   CWE-1230: Exposure of Sensitive Information Through Metadata
CVSS Source:   IBM X-Force
CVSS Base score:   5.7
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N)

CVEID:   CVE-2022-41917
DESCRIPTION:   OpenSearch Project OpenSearch could allow a remote authenticated attacker to obtain sensitive information, caused by an incorrect error handling in the REST API. By sending a specially-crafted request, an attacker could exploit this vulnerability to read partial file information, and use this information to launch further attacks against the affected system.
CWE:   CWE-755: Improper Handling of Exceptional Conditions
CVSS Source:   IBM X-Force
CVSS Base score:   5.7
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N)

CVEID:   CVE-2024-36114
DESCRIPTION:   airlift aircompressor could allow a local attacker to obtain sensitive information, caused by an out-of-bounds read/write flaw in the decompressor implementations. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information and crash the JVM.
CWE:   CWE-787: Out-of-bounds Write
CVSS Source:   IBM X-Force
CVSS Base score:   8.6
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H)

CVEID:   CVE-2022-31160
DESCRIPTION:   jQuery UI is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the check-box-radio widget. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
CWE:   CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS Source:   IBM X-Force
CVSS Base score:   5.4
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

IBM X-Force ID:   298487
DESCRIPTION:   dnsjava is vulnerable to a denial of service, caused by an error when using the ValidatingResolver for DNSSEC validation. By using specially crafted DNSSEC-signed zones, an attacker could exploit this vulnerability to exhaust all available CPU resources.
CWE:   CWE-770: Allocation of Resources Without Limits or Throttling
CVSS Source:   IBM X-Force
CVSS Base score:   6.5
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

IBM X-Force ID:   298488
DESCRIPTION:   dnsjava is vulnerable to a denial of service, caused by an error when using the ValidatingResolver for DNSSEC validation. By using specially crafted DNSSEC-signed zones, an attacker could exploit this vulnerability to exhaust all available CPU resources.
CWE:   CWE-400: Uncontrolled Resource Consumption
CVSS Source:   IBM X-Force
CVSS Base score:   6.5
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)