Security Bulletin
Summary
In addition to many updates of operating system level packages, the following security vulnerabilities are addressed with IBM Process Mining 2.0
Vulnerability Details
CVEID: CVE-2024-52317
DESCRIPTION: Apache Tomcat could provide weaker than expected security, caused by an incorrect recycling of the request and response used by HTTP/2 requests. A remote attacker could exploit this vulnerability to launch further attacks on the system.
CWE: CWE-754: Improper Check for Unusual or Exceptional Conditions
CVSS Source: IBM X-Force
CVSS Base score: 6.5
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
CVEID: CVE-2024-49767
DESCRIPTION: Werkzeug is a Web Server Gateway Interface web application library. Applications using `werkzeug.formparser.MultiPartParser` corresponding to a version of Werkzeug prior to 3.0.6 to parse `multipart/form-data` requests (e.g. all flask applications) are vulnerable to a relatively simple but effective resource exhaustion (denial of service) attack. A specifically crafted form submission request can cause the parser to allocate and block 3 to 8 times the upload size in main memory. There is no uppe
CWE: CWE-400: Uncontrolled Resource Consumption
CVSS Source: CVE.org
CVSS Base score: 6.9
CVSS Vector: (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N)
CVEID: CVE-2024-31141
DESCRIPTION: Apache Kafka could allow a local authenticated attacker to gain elevated privileges on the system, caused by an incorrect privilege management flaw. By sending a specially crafted request, an authenticated attacker could exploit this vulnerability to gain elevated privileges to read arbitrary contents of the disk and environment variables.
CWE: CWE-552: Files or Directories Accessible to External Parties
CVSS Source: IBM X-Force
CVSS Base score: 6.8
CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N)
CVEID: CVE-2024-38998
DESCRIPTION: jrburke requirejs could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution in the function config. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service.
CWE: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVSS Source: IBM X-Force
CVSS Base score: 9.8
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2024-21540
DESCRIPTION: All versions of the package source-map-support are vulnerable to Directory Traversal in the retrieveSourceMap function.
CWE: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSS Source: CVE.org
CVSS Base score: 7.5
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2024-52316
DESCRIPTION: Apache Tomcat could allow a remote attacker to bypass security restrictions, caused by a flaw when using a custom Jakarta Authentication ServerAuthContext component. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass the authentication process.
CWE: CWE-288: Authentication Bypass Using an Alternate Path or Channel
CVSS Source: IBM X-Force
CVSS Base score: 5.9
CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)
CVEID: CVE-2024-38827
DESCRIPTION: VMware Tanzu Spring Security could allow a remote attacker to bypass security restrictions, caused by a locale dependent exceptions issue in the useage of String.toLowerCase() and String.toUpperCase() fimctopms. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass authorization rules.
CWE: CWE-863: Incorrect Authorization
CVSS Source: IBM X-Force
CVSS Base score: 4.8
CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)
CVEID: CVE-2022-46175
DESCRIPTION: JSON5 could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a prototype pollution flaw in the parse method. By adding or modifying properties of Object.prototype using a __proto__ or constructor payload, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.
CWE: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVSS Source: IBM X-Force
CVSS Base score: 7.1
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H)
CVEID: CVE-2024-38820
DESCRIPTION: VMware Tanzu Spring Framework could provide weaker than expected security, caused by a flaw related to disallowedFields patterns in DataBinder is case insensitive. A remote attacker could exploit this vulnerability to launch further attacks on the system.
CWE: CWE-178: Improper Handling of Case Sensitivity
CVSS Source: IBM X-Force
CVSS Base score: 3.1
CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N)
CVEID: CVE-2022-23491
DESCRIPTION: An unspecified error in with TrustCor's ownership also operated a business that produced spyware in Certifi has an unknown impact and attack vector.
CWE: CWE-345: Insufficient Verification of Data Authenticity
CVSS Source: IBM X-Force
CVSS Base score: 6.8
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N)
CVEID: CVE-2024-42367
DESCRIPTION: aio-libs aiohttp ould allow a remote attacker to traverse directories on the system, caused by improper archive file validation. An attacker could use a specially crafted archive file containing "dot dot" sequences (/../) to create arbitrary symlinks on the system.
CWE: CWE-61: UNIX Symbolic Link (Symlink) Following
CVSS Source: CVE.org
CVSS Base score: 4.8
CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)
CVEID: CVE-2022-37603
DESCRIPTION: webpack loader-utils is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the interpolateName function in interpolateName.js. By sending a specially-crafted regex input using the url variable, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CWE: CWE-1333: Inefficient Regular Expression Complexity
CVSS Source: IBM X-Force
CVSS Base score: 7.5
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2021-33503
DESCRIPTION: urllib3 is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw due to catastrophic backtracking. By sending a specially-crafted URL request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CWE: CWE-400: Uncontrolled Resource Consumption
CVSS Source: IBM X-Force
CVSS Base score: 5.3
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2024-37891
DESCRIPTION: urllib3 could allow a remote authenticated attacker to obtain sensitive information, caused by the failure to strip the Proxy-Authorization header during cross-origin redirects. By sending a specially crafted HTTP request, an attacker could exploit this vulnerability to obtain sensitive information.
CWE: CWE-669: Incorrect Resource Transfer Between Spheres
CVSS Source: IBM X-Force
CVSS Base score: 4.4
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2023-43804
DESCRIPTION: urllib3 could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw with cookie request header not stripped during cross-origin redirects. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CWE: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CVSS Source: IBM X-Force
CVSS Base score: 5.9
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N)
CVEID: CVE-2020-7212
DESCRIPTION: urllib3 is vulnerable to a denial of service, caused by a flaw in the _encode_invalid_chars function in util/url.py. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CWE: CWE-20: Improper Input Validation
CVSS Source: IBM X-Force
CVSS Base score: 5.3
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2020-26137
DESCRIPTION: urllib3 is vulnerable to CRLF injection. By inserting CR and LF control characters in the first argument of putrequest(), a remote attacker could exploit this vulnerability to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.
CWE: CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
CVSS Source: IBM X-Force
CVSS Base score: 6.1
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVEID: CVE-2023-45803
DESCRIPTION: urllib3 could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw with not remove the HTTP request body when an HTTP redirect response using status 303. By sending a specially crafted HTTP request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CWE: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CVSS Source: CVE.org
CVSS Base score: 4.2
CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2024-47072
DESCRIPTION: XStream is vulnerable to a denial of service, caused by a stack-based buffer overflow in BinaryStreamDriver. By sending a specially crafted binary input stream, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CWE: CWE-121: Stack-based Buffer Overflow
CVSS Source: Github
CVSS Base score: 7.5
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-43485
DESCRIPTION: Microsoft .NET and Visual Studio are vulnerable to a denial of service, caused by an algorithmic complexity flaw. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service.
CWE: CWE-407: Inefficient Algorithmic Complexity
CVSS Source: Microsoft
CVSS Base score: 7.5
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-52304
DESCRIPTION: aiohttp could allow a remote attacker to bypass security restrictions, caused by an incorrect parsing of chunk extensions. By sending a specially crafted query request, an attacker could exploit this vulnerability to bypass access restrictionsto bypass certain firewalls or proxy protections.
CWE: CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVSS Source: IBM X-Force
CVSS Base score: 5.3
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID: CVE-2024-49766
DESCRIPTION: Werkzeug is a Web Server Gateway Interface web application library. On Python < 3.11 on Windows, os.path.isabs() does not catch UNC paths like //server/share. Werkzeug's safe_join() relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable. Werkzeug version 3.0.6 contains a patch.
CWE: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSS Source: CVE.org
CVSS Base score: 6.3
CVSS Vector: (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N)
CVEID: CVE-2022-37599
DESCRIPTION: loader-utils is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the interpolateName.js script. By sending specially-crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service.
CWE: CWE-1333: Inefficient Regular Expression Complexity
CVSS Source: IBM X-Force
CVSS Base score: 7.5
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-37601
DESCRIPTION: webpack loader-utils could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw in the parseQuery function in parseQuery.js. By adding or modifying properties of Object.prototype using a __proto__ or constructor payload, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.
CWE: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVSS Source: IBM X-Force
CVSS Base score: 9.8
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2024-9823
DESCRIPTION: Eclipse Jetty is vulnerable to a denial of service, caused by a flaw in the DosFilter feature. By sending specially crafted requests, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CWE: CWE-770: Allocation of Resources Without Limits or Throttling
CVSS Source: GitHub
CVSS Base score: 5.3
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2024-6762
DESCRIPTION: Jetty PushSessionCacheFilter can be exploited by unauthenticated users to launch remote DoS attacks by exhausting the server’s memory.
CWE: CWE-400: Uncontrolled Resource Consumption
CVSS Source: CVE.org
CVSS Base score: 3.1
CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2018-15209
DESCRIPTION: LibTIFF is vulnerable to a denial of service, caused by a heap-based buffer overflow in the ChopUpSingleUncompressedStrip in tif_dirread.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CWE: CWE-122: Heap-based Buffer Overflow
CVSS Source: IBM X-Force
CVSS Base score: 3.3
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
CVEID: CVE-2022-24999
DESCRIPTION: Express.js Express is vulnerable to a denial of service, caused by a prototype pollution flaw in qs. By adding or modifying properties of Object.prototype using a __proto__ or constructor payload, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CWE: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVSS Source: IBM X-Force
CVSS Base score: 7.5
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2023-25433
DESCRIPTION: LibTIFF is vulnerable to a denial of service, caused by a heap-based buffer overflow in /libtiff/tools/tiffcrop.c. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.
CWE: CWE-122: Heap-based Buffer Overflow
CVSS Source: IBM X-Force
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2023-50314
DESCRIPTION: IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.8 could allow an attacker with access to the network to conduct spoofing attacks. An attacker could exploit this vulnerability using a certificate issued by a trusted authority to obtain sensitive information. IBM X-Force ID: 274713.
CWE: CWE-295: Improper Certificate Validation
CVSS Source: IBM X-Force
CVSS Base score: 5.3
CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2023-52356
DESCRIPTION: LibTIFF is vulnerable to a denial of service, caused by a segment fault (SEGV) flaw in the TIFFReadRGBATileExt() API. By passing a specially crafted tiff file, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CWE: CWE-122: Heap-based Buffer Overflow
CVSS Source: IBM X-Force
CVSS Base score: 7.5
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2023-6228
DESCRIPTION: LibTIFF is vulnerable to a denial of service, caused by a heap-based buffer overflow in cpStripToTile() function in tools/tiffcp.c. By persuading a victim to open a specially crafted content, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CWE: CWE-122: Heap-based Buffer Overflow
CVSS Source: IBM X-Force
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-34155
DESCRIPTION: Golang Go is vulnerable to a denial of service, caused by a stack exhaustion in all Parse* functions. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CWE: CWE-1325: Improperly Controlled Sequential Memory Allocation
CVSS Source: IBM X-Force
CVSS Base score: 7.5
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-34156
DESCRIPTION: Golang Go is vulnerable to a denial of service, caused by a stack exhaustion in Decoder.Decode. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CWE: CWE-1325: Improperly Controlled Sequential Memory Allocation
CVSS Source: CISA ADP
CVSS Base score: 7.5
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-34158
DESCRIPTION: Golang Go is vulnerable to a denial of service, caused by a stack exhaustion in Parse. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CWE: CWE-1325: Improperly Controlled Sequential Memory Allocation
CVSS Source: IBM X-Force
CVSS Base score: 7.5
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-38428
DESCRIPTION: GNU Wget could allow a remote authenticated attacker to bypass security restrictions, caused by the mishandling of semicolons in the userinfo subcomponent of a URI. By sending a specially crafted request, an attacker could exploit this vulnerability to perform unauthorized actions.
CWE: CWE-115: Misinterpretation of Input
CVSS Source: IBM X-Force
CVSS Base score: 5.4
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)
CVEID: CVE-2024-39338
DESCRIPTION: Axios is vulnerable to server-side request forgery, caused by a flaw with requests for path relative URLs get processed as protocol relative URLs. By sending a specially crafted request, an attacker could exploit this vulnerability to conduct SSRF attack.
CWE: CWE-918: Server-Side Request Forgery (SSRF)
CVSS Source: IBM X-Force
CVSS Base score: 7.5
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2024-51504
DESCRIPTION: Apache ZooKeeper could allow a remote attacker to bypass security restrictions, caused by a flaw when using IPAuthenticationProvider. By spoofing client's IP address in request headers, an attacker could exploit this vulnerability to bypass authentication.
CWE: CWE-290: Authentication Bypass by Spoofing
CVSS Source: IBM X-Force
CVSS Base score: 9.1
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)
CVEID: CVE-2024-52303
DESCRIPTION: aio-libs aiohttp is vulnerable to a denial of service, caused by a memory leak when middlewares are used. By sending a specially crafted request, a remote attacker could exploit this vulnerability to exhaust available memory resources on the server, and results in a denial of service condition.
CWE: CWE-772: Missing Release of Resource after Effective Lifetime
CVSS Source: IBM X-Force
CVSS Base score: 7.5
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
DESCRIPTION: Apache Tomcat could provide weaker than expected security, caused by an incorrect recycling of the request and response used by HTTP/2 requests. A remote attacker could exploit this vulnerability to launch further attacks on the system.
CWE: CWE-754: Improper Check for Unusual or Exceptional Conditions
CVSS Source: IBM X-Force
CVSS Base score: 6.5
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
CVEID: CVE-2024-49767
DESCRIPTION: Werkzeug is a Web Server Gateway Interface web application library. Applications using `werkzeug.formparser.MultiPartParser` corresponding to a version of Werkzeug prior to 3.0.6 to parse `multipart/form-data` requests (e.g. all flask applications) are vulnerable to a relatively simple but effective resource exhaustion (denial of service) attack. A specifically crafted form submission request can cause the parser to allocate and block 3 to 8 times the upload size in main memory. There is no uppe
CWE: CWE-400: Uncontrolled Resource Consumption
CVSS Source: CVE.org
CVSS Base score: 6.9
CVSS Vector: (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N)
CVEID: CVE-2024-31141
DESCRIPTION: Apache Kafka could allow a local authenticated attacker to gain elevated privileges on the system, caused by an incorrect privilege management flaw. By sending a specially crafted request, an authenticated attacker could exploit this vulnerability to gain elevated privileges to read arbitrary contents of the disk and environment variables.
CWE: CWE-552: Files or Directories Accessible to External Parties
CVSS Source: IBM X-Force
CVSS Base score: 6.8
CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N)
CVEID: CVE-2024-38998
DESCRIPTION: jrburke requirejs could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution in the function config. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service.
CWE: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVSS Source: IBM X-Force
CVSS Base score: 9.8
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2024-21540
DESCRIPTION: All versions of the package source-map-support are vulnerable to Directory Traversal in the retrieveSourceMap function.
CWE: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSS Source: CVE.org
CVSS Base score: 7.5
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2024-52316
DESCRIPTION: Apache Tomcat could allow a remote attacker to bypass security restrictions, caused by a flaw when using a custom Jakarta Authentication ServerAuthContext component. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass the authentication process.
CWE: CWE-288: Authentication Bypass Using an Alternate Path or Channel
CVSS Source: IBM X-Force
CVSS Base score: 5.9
CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)
CVEID: CVE-2024-38827
DESCRIPTION: VMware Tanzu Spring Security could allow a remote attacker to bypass security restrictions, caused by a locale dependent exceptions issue in the useage of String.toLowerCase() and String.toUpperCase() fimctopms. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass authorization rules.
CWE: CWE-863: Incorrect Authorization
CVSS Source: IBM X-Force
CVSS Base score: 4.8
CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)
CVEID: CVE-2022-46175
DESCRIPTION: JSON5 could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a prototype pollution flaw in the parse method. By adding or modifying properties of Object.prototype using a __proto__ or constructor payload, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.
CWE: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVSS Source: IBM X-Force
CVSS Base score: 7.1
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H)
CVEID: CVE-2024-38820
DESCRIPTION: VMware Tanzu Spring Framework could provide weaker than expected security, caused by a flaw related to disallowedFields patterns in DataBinder is case insensitive. A remote attacker could exploit this vulnerability to launch further attacks on the system.
CWE: CWE-178: Improper Handling of Case Sensitivity
CVSS Source: IBM X-Force
CVSS Base score: 3.1
CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N)
CVEID: CVE-2022-23491
DESCRIPTION: An unspecified error in with TrustCor's ownership also operated a business that produced spyware in Certifi has an unknown impact and attack vector.
CWE: CWE-345: Insufficient Verification of Data Authenticity
CVSS Source: IBM X-Force
CVSS Base score: 6.8
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N)
CVEID: CVE-2024-42367
DESCRIPTION: aio-libs aiohttp ould allow a remote attacker to traverse directories on the system, caused by improper archive file validation. An attacker could use a specially crafted archive file containing "dot dot" sequences (/../) to create arbitrary symlinks on the system.
CWE: CWE-61: UNIX Symbolic Link (Symlink) Following
CVSS Source: CVE.org
CVSS Base score: 4.8
CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)
CVEID: CVE-2022-37603
DESCRIPTION: webpack loader-utils is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the interpolateName function in interpolateName.js. By sending a specially-crafted regex input using the url variable, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CWE: CWE-1333: Inefficient Regular Expression Complexity
CVSS Source: IBM X-Force
CVSS Base score: 7.5
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2021-33503
DESCRIPTION: urllib3 is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw due to catastrophic backtracking. By sending a specially-crafted URL request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CWE: CWE-400: Uncontrolled Resource Consumption
CVSS Source: IBM X-Force
CVSS Base score: 5.3
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2024-37891
DESCRIPTION: urllib3 could allow a remote authenticated attacker to obtain sensitive information, caused by the failure to strip the Proxy-Authorization header during cross-origin redirects. By sending a specially crafted HTTP request, an attacker could exploit this vulnerability to obtain sensitive information.
CWE: CWE-669: Incorrect Resource Transfer Between Spheres
CVSS Source: IBM X-Force
CVSS Base score: 4.4
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2023-43804
DESCRIPTION: urllib3 could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw with cookie request header not stripped during cross-origin redirects. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CWE: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CVSS Source: IBM X-Force
CVSS Base score: 5.9
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N)
CVEID: CVE-2020-7212
DESCRIPTION: urllib3 is vulnerable to a denial of service, caused by a flaw in the _encode_invalid_chars function in util/url.py. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CWE: CWE-20: Improper Input Validation
CVSS Source: IBM X-Force
CVSS Base score: 5.3
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2020-26137
DESCRIPTION: urllib3 is vulnerable to CRLF injection. By inserting CR and LF control characters in the first argument of putrequest(), a remote attacker could exploit this vulnerability to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.
CWE: CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
CVSS Source: IBM X-Force
CVSS Base score: 6.1
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVEID: CVE-2023-45803
DESCRIPTION: urllib3 could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw with not remove the HTTP request body when an HTTP redirect response using status 303. By sending a specially crafted HTTP request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CWE: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CVSS Source: CVE.org
CVSS Base score: 4.2
CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2024-47072
DESCRIPTION: XStream is vulnerable to a denial of service, caused by a stack-based buffer overflow in BinaryStreamDriver. By sending a specially crafted binary input stream, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CWE: CWE-121: Stack-based Buffer Overflow
CVSS Source: Github
CVSS Base score: 7.5
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-43485
DESCRIPTION: Microsoft .NET and Visual Studio are vulnerable to a denial of service, caused by an algorithmic complexity flaw. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service.
CWE: CWE-407: Inefficient Algorithmic Complexity
CVSS Source: Microsoft
CVSS Base score: 7.5
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-52304
DESCRIPTION: aiohttp could allow a remote attacker to bypass security restrictions, caused by an incorrect parsing of chunk extensions. By sending a specially crafted query request, an attacker could exploit this vulnerability to bypass access restrictionsto bypass certain firewalls or proxy protections.
CWE: CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVSS Source: IBM X-Force
CVSS Base score: 5.3
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID: CVE-2024-49766
DESCRIPTION: Werkzeug is a Web Server Gateway Interface web application library. On Python < 3.11 on Windows, os.path.isabs() does not catch UNC paths like //server/share. Werkzeug's safe_join() relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable. Werkzeug version 3.0.6 contains a patch.
CWE: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSS Source: CVE.org
CVSS Base score: 6.3
CVSS Vector: (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N)
CVEID: CVE-2022-37599
DESCRIPTION: loader-utils is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the interpolateName.js script. By sending specially-crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service.
CWE: CWE-1333: Inefficient Regular Expression Complexity
CVSS Source: IBM X-Force
CVSS Base score: 7.5
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-37601
DESCRIPTION: webpack loader-utils could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw in the parseQuery function in parseQuery.js. By adding or modifying properties of Object.prototype using a __proto__ or constructor payload, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.
CWE: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVSS Source: IBM X-Force
CVSS Base score: 9.8
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2024-9823
DESCRIPTION: Eclipse Jetty is vulnerable to a denial of service, caused by a flaw in the DosFilter feature. By sending specially crafted requests, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CWE: CWE-770: Allocation of Resources Without Limits or Throttling
CVSS Source: GitHub
CVSS Base score: 5.3
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2024-6762
DESCRIPTION: Jetty PushSessionCacheFilter can be exploited by unauthenticated users to launch remote DoS attacks by exhausting the server’s memory.
CWE: CWE-400: Uncontrolled Resource Consumption
CVSS Source: CVE.org
CVSS Base score: 3.1
CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2018-15209
DESCRIPTION: LibTIFF is vulnerable to a denial of service, caused by a heap-based buffer overflow in the ChopUpSingleUncompressedStrip in tif_dirread.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CWE: CWE-122: Heap-based Buffer Overflow
CVSS Source: IBM X-Force
CVSS Base score: 3.3
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
CVEID: CVE-2022-24999
DESCRIPTION: Express.js Express is vulnerable to a denial of service, caused by a prototype pollution flaw in qs. By adding or modifying properties of Object.prototype using a __proto__ or constructor payload, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CWE: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVSS Source: IBM X-Force
CVSS Base score: 7.5
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2023-25433
DESCRIPTION: LibTIFF is vulnerable to a denial of service, caused by a heap-based buffer overflow in /libtiff/tools/tiffcrop.c. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.
CWE: CWE-122: Heap-based Buffer Overflow
CVSS Source: IBM X-Force
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2023-50314
DESCRIPTION: IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.8 could allow an attacker with access to the network to conduct spoofing attacks. An attacker could exploit this vulnerability using a certificate issued by a trusted authority to obtain sensitive information. IBM X-Force ID: 274713.
CWE: CWE-295: Improper Certificate Validation
CVSS Source: IBM X-Force
CVSS Base score: 5.3
CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2023-52356
DESCRIPTION: LibTIFF is vulnerable to a denial of service, caused by a segment fault (SEGV) flaw in the TIFFReadRGBATileExt() API. By passing a specially crafted tiff file, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CWE: CWE-122: Heap-based Buffer Overflow
CVSS Source: IBM X-Force
CVSS Base score: 7.5
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2023-6228
DESCRIPTION: LibTIFF is vulnerable to a denial of service, caused by a heap-based buffer overflow in cpStripToTile() function in tools/tiffcp.c. By persuading a victim to open a specially crafted content, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CWE: CWE-122: Heap-based Buffer Overflow
CVSS Source: IBM X-Force
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-34155
DESCRIPTION: Golang Go is vulnerable to a denial of service, caused by a stack exhaustion in all Parse* functions. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CWE: CWE-1325: Improperly Controlled Sequential Memory Allocation
CVSS Source: IBM X-Force
CVSS Base score: 7.5
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-34156
DESCRIPTION: Golang Go is vulnerable to a denial of service, caused by a stack exhaustion in Decoder.Decode. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CWE: CWE-1325: Improperly Controlled Sequential Memory Allocation
CVSS Source: CISA ADP
CVSS Base score: 7.5
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-34158
DESCRIPTION: Golang Go is vulnerable to a denial of service, caused by a stack exhaustion in Parse. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CWE: CWE-1325: Improperly Controlled Sequential Memory Allocation
CVSS Source: IBM X-Force
CVSS Base score: 7.5
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-38428
DESCRIPTION: GNU Wget could allow a remote authenticated attacker to bypass security restrictions, caused by the mishandling of semicolons in the userinfo subcomponent of a URI. By sending a specially crafted request, an attacker could exploit this vulnerability to perform unauthorized actions.
CWE: CWE-115: Misinterpretation of Input
CVSS Source: IBM X-Force
CVSS Base score: 5.4
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)
CVEID: CVE-2024-39338
DESCRIPTION: Axios is vulnerable to server-side request forgery, caused by a flaw with requests for path relative URLs get processed as protocol relative URLs. By sending a specially crafted request, an attacker could exploit this vulnerability to conduct SSRF attack.
CWE: CWE-918: Server-Side Request Forgery (SSRF)
CVSS Source: IBM X-Force
CVSS Base score: 7.5
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2024-51504
DESCRIPTION: Apache ZooKeeper could allow a remote attacker to bypass security restrictions, caused by a flaw when using IPAuthenticationProvider. By spoofing client's IP address in request headers, an attacker could exploit this vulnerability to bypass authentication.
CWE: CWE-290: Authentication Bypass by Spoofing
CVSS Source: IBM X-Force
CVSS Base score: 9.1
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)
CVEID: CVE-2024-52303
DESCRIPTION: aio-libs aiohttp is vulnerable to a denial of service, caused by a memory leak when middlewares are used. By sending a specially crafted request, a remote attacker could exploit this vulnerability to exhaust available memory resources on the server, and results in a denial of service condition.
CWE: CWE-772: Missing Release of Resource after Effective Lifetime
CVSS Source: IBM X-Force
CVSS Base score: 7.5
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) |
| IBM Process Mining | 1.15.0 IF004, 1.15.0 IF003, 1.15.0 IF002, 1.15.0 IF001, 1.15.0 |
Remediation/Fixes
Any open source library may be included in one or more sub-components of IBM Process Mining. Open source updates are not always synchronized across all components. The CVE in this bulletin are specifically addressed by
|
Product(s) |
Version(s) number and/or range | Remediation/Fix/Instructions |
| IBM Process Mining |
1.15.0 IF004, 1.15.0 IF003, 1.15.0 IF002, 1.15.0 IF001, 1.15.0 |
Upgrade to version 2.0 |
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
Off
Acknowledgement
Change History
13 Dec 2024: Initial Publication
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.
Document Location
Worldwide
[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSB8W0H","label":"IBM Process Mining"},"Component":"","Platform":[{"code":"PF040","label":"RedHat OpenShift"},{"code":"PF016","label":"Linux"}],"Version":"1.15.0 IF004, 1.15.0 IF003, 1.15.0 IF002, 1.15.0 IF001, 1.15.0","Edition":"","Line of Business":{"code":"LOB76","label":"Data Platform"}},{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSWR2IP","label":"IBM Process Mining as a Service"},"Component":"","Platform":[{"code":"PF040","label":"RedHat OpenShift"},{"code":"PF016","label":"Linux"},{"code":"PF031","label":"Ubuntu"}],"Version":"1.XX.X","Edition":"","Line of Business":{"code":"LOB76","label":"Data Platform"}}]
Was this topic helpful?
Document Information
Modified date:
14 April 2025
UID
ibm17178798