B&R Industrial Automation Security Vulnerabilities

Important: R

Issue Overview: Deserialization of untrusted data can occur in the R statistical programming language, on any version starting at 1.4.0 up to and not including 4.4.0, enabling a maliciously crafted RDS (R Data Serialization) formatted file or R package to run arbitrary code on an end user's system....

CVE-2024-27322

Deserialization of untrusted data can occur in the R statistical programming language, on any version starting at 1.4.0 up to and not including 4.4.0, enabling a maliciously crafted RDS (R Data Serialization) formatted file or R package to run arbitrary code on an end user’s system when interacted....

Arbitrary Code Execution

r-base is vulnerable to Arbitrary Code Execution. The vulnerability is due to deserialization of untrusted data, which can occur when interacting with a maliciously crafted RDS (R Data Serialization) formatted file or R package, allows maliciously crafted RDS (R Data Serialization) formatted files....

CVE-2023-38856

Buffer Overflow vulnerability in libxlsv.1.6.2 allows a remote attacker to execute arbitrary code and cause a denial of service via a crafted XLS file to the get_string function in...

CVE-2023-38854

Buffer Overflow vulnerability in libxlsv.1.6.2 allows a remote attacker to execute arbitrary code and cause a denial of service via a crafted XLS file to the transcode_latin1_to_utf8 function in...

CVE-2023-38852

Buffer Overflow vulnerability in libxlsv.1.6.2 allows a remote attacker to execute arbitrary code and cause a denial of service via a crafted XLS file to the unicode_decode_wcstombs function in...

CVE-2023-38855

Buffer Overflow vulnerability in libxlsv.1.6.2 allows a remote attacker to execute arbitrary code and cause a denial of service via a crafted XLS file to the get_string function in...

CVE-2023-38851

Buffer Overflow vulnerability in libxlsv.1.6.2 allows a remote attacker to execute arbitrary code and cause a denial of service via a crafted XLS file to the xls_parseWorkBook function in...

CVE-2023-38853

Buffer Overflow vulnerability in libxlsv.1.6.2 allows a remote attacker to execute arbitrary code and cause a denial of service via a crafted XLS file to the xls_parseWorkBook function in...

Security Bulletin: HTTP request smuggling vulnerability in IBM Business Automation Workflow Machine Learning Server CVE-2024-1135

Summary In addition to updates to operating system level packages, IBM Business Automation Workflow Machine Learning Server 23.0.2-IF003 addresses the following vulnerability CVE-2024-1135. Vulnerability Details ** CVEID: CVE-2024-1135 DESCRIPTION: **Gunicorn is vulnerable to HTTP request...

Security Bulletin: Spring vulnerability in embedded components may affect IBM Business Automation Workflow - CVE-2024-22243

Summary IBM Business Automation Workflow is vulnerable to a open redirect attack. Vulnerability Details ** CVEID: CVE-2024-22243 DESCRIPTION: **VMware Tanzu Spring Framework could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability when using...

Security Bulletin: Multiple vulnerabilities in IBM MQ affect IBM Robotic Process Automation.

Summary Multiple vulnerabilities in IBM MQ affect IBM Robotic Process Automation. IBM MQ is used by IBM Robotic Process Automation for message queueing. This bulletin identifies the security fixes to apply to address the vulnerability. Vulnerability Details ** CVEID: CVE-2023-26159 DESCRIPTION:...

Security Bulletin: Multiple vulnerabilities in IBM MQ affect IBM Robotic Process Automation.

Summary Multiple vulnerabilities in IBM MQ affect IBM Robotic Process Automation. IBM MQ is used by IBM Robotic Process Automation for message queueing. This bulletin identifies the security fixes to apply to address the vulnerability. Vulnerability Details ** CVEID: CVE-2023-5072 DESCRIPTION:...

Security Bulletin: Multiple vulnerabilities in IBM WebSphere Liberty Profile affect IBM Robotic Process Automation.

Summary Multiple vulnerabilities in IBM MQ affect IBM Robotic Process Automation. IBM MQ is used by IBM Robotic Process Automation as part of UMS and as an application server for container deployments. This bulletin identifies the security fixes to apply to address the vulnerability. ...

Security Bulletin: Denial of Service vulnerability in WebSphere Liberty affects IBM Business Automation Workflow - CVE-2024-22353

Summary IBM WebSphere Application Server Liberty profile is shipped with IBM Business Automation Workflow components User Management Service and Process Federation Service. Liberty is also used in containerized versions of IBM Business Automation Workflow. Liberty is vulnerable to a denial of...

Security Bulletin: Denial of Service vulnerability in WebSphere Liberty affects IBM Business Automation Workflow - CVE-2024-27268

Summary IBM WebSphere Application Server Liberty profile is shipped with IBM Business Automation Workflow components User Management Service and Process Federation Service. Liberty is also used in containerized versions of IBM Business Automation Workflow. Liberty is vulnerable to a denial of...

Security Bulletin: Denial of Service vulnerability in WebSphere Liberty affects IBM Business Automation Workflow - CVE-2024-27270

Summary IBM WebSphere Application Server Liberty profile is shipped with IBM Business Automation Workflow components User Management Service and Process Federation Service. Liberty is also used in containerized versions of IBM Business Automation Workflow. Liberty is vulnerable to a cross-site...

Security Bulletin: Weaker than expected security vulnerability affect IBM Business Automation Workflow - CVE-2024-22329

Summary IBM WebSphere Application Server Liberty profile is shipped with Process Federation Server and User Management Services in IBM Business Automation Workflow traditional. IBM Business Automation Workflow containers build upon IBM WebSphere Liberty profile. Information about a security...

Security Bulletin: Denial of Service vulnerability affect IBM Business Automation Workflow - CVE-2024-25710, CVE-2024-26308

Summary IBM Business Automation Workflow is vulnerable to a Denial of Service attack. Vulnerability Details ** CVEID: CVE-2024-25710 DESCRIPTION: **Apache Commons Compress is vulnerable to a denial of service, caused by an infinite loop flaw. By persuading a victim to open a specially crafted...

Security Bulletin: Vulnerabilty in the .NET Core Framework may affect IBM Robotic Process Automation and could allow an attacker to remotely execute arbitrary code.

Summary There is a vulnerability in System.Drawing.Comman used by IBM Robotic Process Automation as part of the .NET Core framework. (CVE-2021-24112). The vulnerability could allow an attacker to remotely execute arbitrary code. This bulletin identifies the security fixes to apply to address this.....

Security Bulletin: Multiple vulnerabilities in eclipse jetty affect IBM Business Automation Workflow

Summary IBM Business Automation Workflow packages a vulnerable version of the eclipse jetty library. Vulnerability Details ** CVEID: CVE-2020-27216 DESCRIPTION: **Eclipse Jetty could allow a local authenticated attacker to gain elevated privileges on the system, caused by a race condition in the...

Security Bulletin: Multiple vulnerabilities in angular.js affect IBM Business Automation Workflow.

Summary IBM Business Automation Workflow packages a vulnerable copy of angular.js. Vulnerability Details ** CVEID: CVE-2023-26117 DESCRIPTION: **AngularJS is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the $resource service. By providing...

Security Bulletin: Weaker than expected security vulnerability affect IBM Business Automation Workflow - CVE-2024-25026

Summary IBM WebSphere Application Server Liberty profile is shipped with Process Federation Server and User Management Services in IBM Business Automation Workflow traditional. IBM Business Automation Workflow containers build upon IBM WebSphere Liberty profile. Information about a security...

Security Bulletin: Vulnerability in jjwt may affect IBM Business Automation Workflow - CVE-2024-31033

Summary IBM Business Automation Workflow packages a vulnerable copy of jjwt. Vulnerability Details ** CVEID: CVE-2024-31033 DESCRIPTION: **An unspecified error with ignoring certain characters in jwtk JJWT (aka Java JWT) has an unknown impact and attack vector. CVSS Base score: 6.8 CVSS Temporal...

Security Bulletin: Weaker than expected security vulnerability affect IBM Business Automation Workflow - CVE-2024-22329

Summary IBM WebSphere Application Server Liberty profile is shipped with Process Federation Server and User Management Services in IBM Business Automation Workflow traditional. IBM Business Automation Workflow containers build upon IBM WebSphere Liberty profile. Information about a security...

Security Bulletin: Denial of Service vulnerability affect IBM Business Automation Workflow - CVE-2023-51775

Summary IBM Business Automation Workflow is vulnerable to a Denial of Service attack. Vulnerability Details ** CVEID: CVE-2023-51775 DESCRIPTION: **jose4j is vulnerable to a denial of service, caused by improper input validation. By sending a specially crafted p2c value, a remote attacker could...

Security Bulletin: Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation Fixes for May 2024.

Summary In addition to OS level package updates, multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation 21.0.3-IF033 and 23.0.2-IF005. Vulnerability Details ** CVEID: CVE-2024-21501 DESCRIPTION: **Node.js sanitize-html module could allow a remote attacker to...

Security Bulletin: Weaker than expected security vulnerability affect IBM Business Automation Workflow - CVE-2023-50312

Summary IBM WebSphere Application Server Liberty profile is shipped with Process Federation Server and User Management Services in IBM Business Automation Workflow traditional. IBM Business Automation Workflow containers build upon IBM WebSphere Liberty profile. Information about a security...

Security Bulletin: Information disclosure vulnerabilities affect IBM Business Automation Workflow - CVE-2024-28849, CVE-2024-21501

Summary IBM Business Automation Workflow Web Process Designer is vulnerable to information disclosure attacks. Vulnerability Details ** CVEID: CVE-2024-28849 DESCRIPTION: **Node.js follow-redirects module could allow a remote authenticated attacker to obtain sensitive information, caused by the...

Security Bulletin: Denial of Service vulnerability in WebSphere Liberty affects IBM Business Automation Workflow - CVE-2023-51775

Summary IBM WebSphere Application Server Liberty profile is shipped with IBM Business Automation Workflow components User Management Service and Process Federation Service. Liberty is also used in containerized versions of IBM Business Automation Workflow. Liberty is vulnerable to a denial of...

Security Bulletin: A vulnerability in Microsoft .NET Core affects IBM Robotic Process Automation and may result in a bypass of security restrictions (CVE-2024-0056)

Summary A vulnerability in Microsoft .NET Core affects IBM Robotic Process Automation resulting in a bypass of security restrictions. Microsoft .NET Core is used by IBM Robotic Process Automation as part of it's development platform. This bulletin identifies the security fixes to apply to address.....

Security Bulletin: A vulnerability in Microsoft Azure Identity affects IBM Robotic Process Automation and may result in a denial of service (CVE-2024-21319)

Summary A vulnerability in Microsoft Azure Identity affects IBM Robotic Process Automation which may result in a denial of service. Microsoft Azure Identity is used by IBM Robotic Process Automation as part of identity management. This bulletin identifies the security fixes to apply to address the....

Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2024-37532)

Summary WebSphere Application Server is shipped with IBM Tivoli System Automation Application Manager. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin. Vulnerability Details Refer to the security bulletin(s) listed in the.....

Security Bulletin: Multiple security vulnerabilities are addressed with IBM Business Automation Manager Open Editions 8.0.2

Summary In addition to updates of open source dependencies, the following security vulnerabilities are addressed with IBM Business Automation Manager Open Editions 8.0.2 Vulnerability Details ** CVEID: CVE-2018-1000134 DESCRIPTION: **Ping Identity UnboundID LDAP SDK could allow a remote attacker...

Security Bulletin: Multiple security vulnerabilities are addressed with IBM Business Automation Manager Open Editions 8.0.3

Summary In addition to updates of open source dependencies, the following security vulnerabilities are addressed with IBM Business Automation Manager Open Editions 8.0.3 Vulnerability Details ** CVEID: CVE-2022-46364 DESCRIPTION: **Apache CXF is vulnerable to server-side request forgery, caused...

GHSA-9763-4F94-GFCH vulnerabilities

Vulnerabilities for packages: kubescape, cosign, vexctl, flux, kaniko, tkn, slsa-verifier, sops, terragrunt, boring-registry, policy-controller, spire-server, gitness, argo-cd, aactl, pulumi-language-java, pulumi-language-dotnet, zarf, goreleaser, pulumi, crossplane-provider-aws, tekton-chains,...

Advantech R-SeeNet 2.4.12 - Cross-Site Scripting

Advantech R-SeeNet 2.4.12 contains a reflected cross-site scripting vulnerability in the ssh_form.php script...

Security Bulletin: security vulnerabilities are addressed with IBM Business Automation Insights iFix for May 2024.

Summary Security vulnerabilities are addressed with IBM Business Automation Insights 23.0.2-IF005. Vulnerability Details ** CVEID: CVE-2024-29025 DESCRIPTION: **Netty is vulnerable to a denial of service, caused by a flaw when using the HttpPostRequestDecoder to decode a form. By sending a...

Advantech R-SeeNet 2.4.12 - OS Command Injection

Advantech R-SeeNet 2.4.12 is susceptible to remote OS command execution via the ping.php script functionality. An attacker, via a specially crafted HTTP request, can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering...

Advantech R-SeeNet - Cross-Site Scripting

Advantech R-SeeNet contains a cross-site scripting vulnerability in the device_graph_page.php script via the device_id parameter. A specially crafted URL by an attacker can lead to arbitrary JavaScript code...

Advantech R-SeeNet - Cross-Site Scripting

Advantech R-SeeNet is vulnerable to cross-site scripting via the device_graph_page.php script via the is2sim parameter. A specially crafted URL by an attacker and visited by a victim can lead to arbitrary JavaScript code...

Advantech R-SeeNet 2.4.12 - Cross-Site Scripting

Advantech R-SeeNet 2.4.12 contains a reflected cross-site scripting vulnerability in the telnet_form.php script...

Advantech R-SeeNet - Cross-Site Scripting

Advantech R-SeeNet contains a cross-site scripting vulnerability in the device_graph_page.php script via the graph parameter. A specially crafted URL by an attacker can lead to arbitrary JavaScript code...

CVE-2024-6104 vulnerabilities

Vulnerabilities for packages: crossplane-provider-azure, cosign, falcoctl, kubescape, influxd, terraform, loki, step-ca, vexctl, flux, cert-manager, gomplate, bank-vaults, rekor, slsa-verifier, sops, tekton-pipelines, guac, tkn, snyk-cli, k3s, opentofu, policy-controller, buildkitd, spire-server,.....

[SECURITY] Fedora 38 Update: R-4.3.3-2.fc38

This is a metapackage that provides both core R userspace and all R development components. R is a language and environment for statistical computing and graphics. R is similar to the award-winning S system, which was developed at Bell Laboratories by John Chambers et al. It provides a wide...

[SECURITY] Fedora 39 Update: R-4.3.3-2.fc39

This is a metapackage that provides both core R userspace and all R development components. R is a language and environment for statistical computing and graphics. R is similar to the award-winning S system, which was developed at Bell Laboratories by John Chambers et al. It provides a wide...

CVE-2024-27322

Deserialization of untrusted data can occur in the R statistical programming language, on any version starting at 1.4.0 up to and not including 4.4.0, enabling a maliciously crafted RDS (R Data Serialization) formatted file or R package to run arbitrary code on an end user’s system when interacted....

Security Bulletin: IBM Cloud Pak for Network Automation 2.7.3 addresses multiple security vulnerabilities

Summary IBM Cloud Pak for Network Automation 2.7.3 addresses multiple security vulnerabilities, listed in the CVEs below. Vulnerability Details ** CVEID: CVE-2024-30260 DESCRIPTION: **Node.js undici module could allow a remote authenticated attacker to obtain sensitive information, caused by a...

GHSA-V6V8-XJ6M-XWQH vulnerabilities

Vulnerabilities for packages: crossplane-provider-azure, cosign, falcoctl, kubescape, influxd, terraform, loki, step-ca, vexctl, flux, cert-manager, gomplate, bank-vaults, rekor, slsa-verifier, sops, tekton-pipelines, guac, tkn, snyk-cli, k3s, opentofu, policy-controller, buildkitd, spire-server,.....

Security Bulletin: Multiple vulnerabilities in Node.js affect IBM Business Automation Workflow Configuration Editor

Summary IBM Business Automation Workflow Configuration Editor repackages a vulnerable version of Node.js and express. Vulnerability Details ** CVEID: CVE-2024-27982 DESCRIPTION: **Node.js is vulnerable to HTTP request smuggling, caused by the use of content length obfuscation in the http server....