Security Bulletin: Multiple security vulnerabilities are addressed with IBM Process Mining 1.14.4 IF001

Summary

The following security vulnerabilities are addressed with IBM Process Mining 1.14.4 IF001

Vulnerability Details

CVEID:CVE-2024-22259
**DESCRIPTION:**VMware Tanzu Spring Framework could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability in UriComponentsBuilder. An attacker could exploit this vulnerability using a specially-crafted URL to redirect a victim to arbitrary Web sites.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/285631 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N)

CVEID:CVE-2024-22234
**DESCRIPTION:**VMware Tanzu Spring Security could allow a remote attacker to bypass security restrictions, caused by improper access control when using the AuthenticationTrustResolver.isFullyAuthenticated(Authentication) method . By sending a specially crafted request, an attacker could exploit this vulnerability to bypass access restrictions.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/283739 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

CVEID:CVE-2024-21506
**DESCRIPTION:**MongoDB PyMongo could allow a local attacker to obtain sensitive information, caused by an out-of-bounds read flaw in the bson module. By sending a specially crafted payload, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVSS Base score: 5.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/287290 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L)

CVEID:CVE-2024-23672
**DESCRIPTION:**Apache Tomcat is vulnerable to a denial of service, caused by an incomplete cleanup flaw. By sending specially crafted WebSocket connections, a remote attacker could exploit this vulnerability to increased resource consumption, and results in a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/285496 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2024-24549
**DESCRIPTION:**Apache Tomcat is vulnerable to a denial of service, caused by improper input validation by the HTTP/2 header. By sending specially crafted HTTP/2 requests, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/285497 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2024-22243
**DESCRIPTION:**VMware Tanzu Spring Framework could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability when using UriComponentsBuilder to parse an externally provided URL. An attacker could exploit this vulnerability using a specially crafted URL to redirect a victim to arbitrary Web sites.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/283965 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N)

CVEID:CVE-2024-23944
**DESCRIPTION:**Apache ZooKeeper could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw in persistent watchers handling. By attaching a persistent watcher to a parent, an attacker could exploit this vulnerability to obtain information of the full path of znodes, and use this information to launch further attacks against the affected system.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/285579 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2023-52428
**DESCRIPTION:**Connect2id Nimbus-JOSE-JWT is vulnerable to a denial of service, caused by improper validation of user requests by the PasswordBasedDecrypter (PBKDF2) component. By sending a specially crafted request using a large JWE p2c header, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/284044 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2024-21634
**DESCRIPTION:**Amazon Ion is vulnerable to a denial of service, caused by a stack-based overflow in ion-java for applications. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279362 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-39631
**DESCRIPTION:**LangChain could allow a remote attacker to execute arbitrary code on the system, caused by improper neutralization of user supplied-input by the evaluate function in the numexpr library. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/265761 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Remediation/Fixes

Any open source library may be included in one or more sub-components of IBM Process Mining. Open source updates are not always synchronized across all components. The CVEs in this bulletin are specifically addressed by

Product(s)

| Version(s) number and/or range| Remediation/Fix/Instructions
—|—|—
IBM Process Mining|

1.14.4

|

**Upgrade to version 1.14.4 IF001 **<https://www.ibm.com/support/pages/node/7149312&gt;

Workarounds and Mitigations

None