Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM7348A4B4E75EAA37B15CFDA0F187A3D76E4569605C6DA6AEFEBBC71BA49AF114
HistoryMay 31, 2024 - 10:42 a.m.

Security Bulletin: security vulnerabilities are addressed with IBM Business Automation Insights iFix for May 2024.

2024-05-3110:42:53
www.ibm.com
8
ibm business automation insights
ifix
security vulnerabilities
netty
quarkus
eclipse vert.x
isaacs node-tar
cve-2024-29025
cve-2024-2700
cve-2024-1300
cve-2024-28863
security fix 23.0.2-if005

7 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

7 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.6%

JSON

Summary

Security vulnerabilities are addressed with IBM Business Automation Insights 23.0.2-IF005.

Vulnerability Details

CVEID:CVE-2024-29025
**DESCRIPTION:**Netty is vulnerable to a denial of service, caused by a flaw when using the HttpPostRequestDecoder to decode a form. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/286403 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2024-2700
**DESCRIPTION:**Quarkus could allow a local authenticated attacker to obtain sensitive information, caused by cleartext storage of sensitive information in an environment variable. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain local configuration properties information, and use this information to launch further attacks against the affected system.
CVSS Base score: 7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/287293 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2024-1300
**DESCRIPTION:**Eclipse Vert.x is vulnerable to a denial of service, caused by a memory leak when a TCP server is configured with TLS and SNI support. By sending a specially crafted TLS client hello message, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/282749 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2024-28863
**DESCRIPTION:**isaacs node-tar is vulnerable to a denial of service, caused by the lack of folders count validation. By sending a specially crafted request, an remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/286169 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Business Automation Insights All
IBM Business Automation Insights All
IBM Business Automation Insights All
IBM Business Automation Insights All

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.

Product(s) **Version(s) number and/or range ** Remediation/Fix/Instructions
IBM Business Automation Insights 23.0.2 Apply security fix 23.0.2-IF005

Workarounds and Mitigations

None.

Affected configurations

Vulners
Node
ibmbusiness_automation_workflowMatch23.0.2

Related

redhat 12
cvelist 4
ubuntucve 2
github 4
osv 7
nvd 4
cbl_mariner 1
nessus 6
veracode 5
cgr 3
ibm 13
debiancve 2
f5 1
redhatcve 4
cve 4
wolfi 3
openvas 1
vulnrichment 2
redos 1
redhat
redhat
(RHSA-2024:2705) Moderate: Red Hat build of Quarkus 3.2.12 release and security update
2024-05-09 11:54:42
(RHSA-2024:2106) Moderate: Red Hat build of Quarkus 3.8.4 release
2024-05-07 16:19:27
(RHSA-2024:2833) Moderate: Service Registry (container images) release and security update [2.5.11 GA]
2024-05-14 09:05:37
cvelist
cvelist
CVE-2024-29025 Netty HttpPostRequestDecoder can OOM
2024-03-25 20:09:35
CVE-2024-28863 node-tar vulnerable to denial of service while parsing a tar file due to lack of folders count validation
2024-03-21 22:10:23
CVE-2024-1300 Io.vertx:vertx-core: memory leak when a tcp server is configured with tls and sni support
2024-04-02 07:33:05
ubuntucve
ubuntucve
CVE-2024-29025
2024-03-25 00:00:00
CVE-2024-28863
2024-03-21 00:00:00
github
github
Denial of service while parsing a tar file due to lack of folders count validation
2024-03-22 16:57:05
Netty's HttpPostRequestDecoder can OOM
2024-03-25 19:40:50
quarkus-core leaks local environment variables from Quarkus namespace during application's build
2024-04-04 15:30:34
osv
osv
CVE-2024-28863
2024-03-21 23:15:10
Denial of service while parsing a tar file due to lack of folders count validation
2024-03-22 16:57:05
Netty's HttpPostRequestDecoder can OOM
2024-03-25 19:40:50
nvd
nvd
CVE-2024-28863
2024-03-21 23:15:10
CVE-2024-29025
2024-03-25 20:15:08
CVE-2024-1300
2024-04-02 08:15:53
cbl_mariner
cbl_mariner
CVE-2024-28863 affecting package nodejs for versions less than 20.14.0-1
2024-06-21 09:32:44
nessus
nessus
Node.js Module node-tar < 6.2.1 DoS
2024-03-29 00:00:00
SUSE SLED15 / SLES15 / openSUSE 15 Security Update : netty, netty-tcnative (SUSE-SU-2024:1079-1)
2024-04-03 00:00:00
RHEL 6 : netty-codec-http (Unpatched Vulnerability)
2024-06-22 00:00:00
veracode
veracode
Denial Of Service (DoS)
2024-03-25 13:36:34
Denial Of Service (DoS)
2024-03-26 16:59:03
Denial Of Service (DoS)
2024-03-28 03:09:13
cgr
cgr
CVE-2024-28863 vulnerabilities
2024-05-19 03:07:16
CVE-2024-29025 vulnerabilities
2024-05-19 03:07:16
CVE-2024-2700 vulnerabilities
2024-05-19 03:07:16
ibm
ibm
Security Bulletin: IBM App Connect Enterprise is vulnerable to a denial of service due to node-tar (CVE-2024-28863)
2024-05-22 10:31:02
Security Bulletin: IBM DevOps Deploy / IBM UrbanCode Deploy (UCD) is affected by a Denial of Service Vulnerability in Netty (CVE-2024-29025)
2024-05-20 14:44:49
Security Bulletin: IBM® Db2® federated server is affected by a vulnerability in the open source netty-codec-http library. (CVE-2024-29025)
2024-06-11 17:35:37
debiancve
debiancve
CVE-2024-28863
2024-03-21 23:15:10
CVE-2024-29025
2024-03-25 20:15:08
f5
f5
K000139643: Node-tar vulnerability CVE-2024-28863
2024-05-16 00:00:00
redhatcve
redhatcve
CVE-2024-28863
2024-06-20 09:51:26
CVE-2024-29025
2024-04-03 12:18:09
CVE-2024-1300
2024-02-07 07:29:55
cve
cve
CVE-2024-28863
2024-03-21 23:15:10
CVE-2024-29025
2024-03-25 20:15:08
CVE-2024-1300
2024-04-02 08:15:53
wolfi
wolfi
CVE-2024-28863 vulnerabilities
2024-06-25 03:08:26
CVE-2024-29025 vulnerabilities
2024-06-25 03:08:26
CVE-2024-2700 vulnerabilities
2024-06-25 03:08:26
openvas
openvas
SUSE: Security Advisory (SUSE-SU-2024:1079-1)
2024-05-07 00:00:00
vulnrichment
vulnrichment
CVE-2024-1300 Io.vertx:vertx-core: memory leak when a tcp server is configured with tls and sni support
2024-04-02 07:33:05
CVE-2024-2700 Quarkus-core: leak of local configuration properties into quarkus applications
2024-04-04 13:46:39
redos
redos
ROS-20240514-04
2024-05-14 00:00:00

7 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

7 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.6%

JSON
Related for 7348A4B4E75EAA37B15CFDA0F187A3D76E4569605C6DA6AEFEBBC71BA49AF114
redhat12cvelist4ubuntucve2github4osv7nvd4cbl_mariner1nessus6veracode5cgr3ibm13debiancve2f51redhatcve4cve4wolfi3openvas1vulnrichment2redos1