Security Bulletin: IBM Financial Transaction Manager is impacted by multiple vulnerabilities in RedHat Proxy for Kubernetes RBAC authorization

Vulnerability Details

CVEID:   CVE-2024-55549
DESCRIPTION:   xsltGetInheritedNsList in libxslt before 1.1.43 has a use-after-free issue related to exclusion of result prefixes.
CWE:   CWE-416: Use After Free
CVSS Source:   cve@mitre.org
CVSS Base score:   7.8
CVSS Vector:   (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H)

CVEID:   CVE-2025-0624
DESCRIPTION:   A flaw was found in grub2. During the network boot process, when trying to search for the configuration file, grub copies data from a user controlled environment variable into an internal buffer using the grub_strcpy() function. During this step, it fails to consider the environment variable length when allocating the internal buffer, resulting in an out-of-bounds write. If correctly exploited, this issue may result in remote code execution through the same network segment grub is searching for the boot information, which can be used to by-pass secure boot protections.
CWE:   CWE-787: Out-of-bounds Write
CVSS Source:   secalert@redhat.com
CVSS Base score:   7.6
CVSS Vector:   (CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H)

CVEID:   CVE-2025-24855
DESCRIPTION:   numbers.c in libxslt before 1.1.43 has a use-after-free because, in nested XPath evaluations, an XPath context node can be modified but never restored. This is related to xsltNumberFormatGetValue, xsltEvalXPathPredicate, xsltEvalXPathStringNs, and xsltComputeSortResultInternal.
CWE:   CWE-416: Use After Free
CVSS Source:   cve@mitre.org
CVSS Base score:   7.8
CVSS Vector:   (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H)

CVEID:   CVE-2025-30204
DESCRIPTION:   golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This issue is fixed in 5.2.2 and 4.5.2.
CWE:   CWE-405: Asymmetric Resource Consumption (Amplification)
CVSS Source:   security-advisories@github.com
CVSS Base score:   7.5
CVSS Vector:   (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2022-49043
DESCRIPTION:   xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11.0 has a use-after-free.
CWE:   CWE-416: Use After Free
CVSS Source:   cve@mitre.org
CVSS Base score:   8.1
CVSS Vector:   (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)

CVEID:   CVE-2024-53150
DESCRIPTION:   In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix out of bounds reads when finding clock sources The current USB-audio driver code doesn't check bLength of each descriptor at traversing for clock descriptors. That is, when a device provides a bogus descriptor with a shorter bLength, the driver might hit out-of-bounds reads. For addressing it, this patch adds sanity checks to the validator functions for the clock descriptor traversal. When the descriptor length is shorter than expected, it's skipped in the loop. For the clock source and clock multiplier descriptors, we can just check bLength against the sizeof() of each descriptor type. OTOH, the clock selector descriptor of UAC2 and UAC3 has an array of bNrInPins elements and two more fields at its tail, hence those have to be checked in addition to the sizeof() check.
CWE:   CWE-125: Out-of-bounds Read
CVSS Source:   NVD
CVSS Base score:   7.1
CVSS Vector:   (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H)

CVEID:   CVE-2025-29781
DESCRIPTION:   The Bare Metal Operator (BMO) implements a Kubernetes API for managing bare metal hosts in Metal3. Baremetal Operator enables users to load Secret from arbitrary namespaces upon deployment of the namespace scoped Custom Resource `BMCEventSubscription`. Prior to versions 0.8.1 and 0.9.1, an adversary Kubernetes account with only namespace level roles (e.g. a tenant controlling a namespace) may create a `BMCEventSubscription` in his authorized namespace and then load Secrets from his unauthorized namespaces to his authorized namespace via the Baremetal Operator, causing Secret Leakage. The patch makes BMO refuse to read Secrets from other namespace than where the corresponding BMH resource is. The patch does not change the `BMCEventSubscription` API in BMO, but stricter validation will fail the request at admission time. It will also prevent the controller reading such Secrets, in case the BMCES CR has already been deployed. The issue exists for all versions of BMO, and is patched in BMO releases v0.9.1 and v0.8.1. Prior upgrading to patched BMO version, duplicate any existing Secret pointed to by `BMCEventSubscription`'s `httpHeadersRef` to the same namespace where the corresponding BMH exists. After upgrade, remove the old Secrets. As a workaround, the operator can configure BMO RBAC to be namespace scoped, instead of cluster scoped, to prevent BMO from accessing Secrets from other namespaces, and/or use `WATCH_NAMESPACE` configuration option to limit BMO to single namespace.
CWE:   CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CVSS Source:   security-advisories@github.com
CVSS Base score:   6.5
CVSS Vector:   (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)