cvelistv5 - cve-2024-38821

CVE-2024-38821 (GCVE-0-2024-38821)

Vulnerability from cvelistv5

Published

2024-10-28 07:06

Modified

2025-01-24 20:03

Severity ?

9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Summary

Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances. For this to impact an application, all of the following must be true: * It must be a WebFlux application * It must be using Spring's static resources support * It must have a non-permitAll authorization rule applied to the static resources support

References

URL

Tags

https://spring.io/security/cve-2024-38821

Impacted products

	Vendor	Product	Version
	Spring	Spring	Version: 5.7.x Version: 5.8.x Version: 6.0.x Version: 6.1.x Version: 6.2.x Version: 6.3.x

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:spring:webflux:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "webflux",
            "vendor": "spring",
            "versions": [
              {
                "lessThan": "5.7.13",
                "status": "affected",
                "version": "5.7.x",
                "versionType": "custom"
              },
              {
                "lessThan": "5.8.15",
                "status": "affected",
                "version": "5.8x",
                "versionType": "custom"
              },
              {
                "lessThan": "6.0.13",
                "status": "affected",
                "version": "6.0x",
                "versionType": "custom"
              },
              {
                "lessThan": "6.1.11",
                "status": "affected",
                "version": "6.1x",
                "versionType": "custom"
              },
              {
                "lessThan": "6.2.7",
                "status": "affected",
                "version": "6.2x",
                "versionType": "custom"
              },
              {
                "lessThan": "6.3.4",
                "status": "affected",
                "version": "6.3x",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-38821",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-31T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-770",
                "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-01T03:55:20.442Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-01-24T20:03:04.932Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://security.netapp.com/advisory/ntap-20250124-0006/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "packageName": "Spring Security",
          "product": "Spring",
          "vendor": "Spring",
          "versions": [
            {
              "lessThan": "5.7.13",
              "status": "affected",
              "version": "5.7.x",
              "versionType": "Enterprise Support Only"
            },
            {
              "lessThan": "5.8.15",
              "status": "affected",
              "version": "5.8.x",
              "versionType": "Enterprise Support Only"
            },
            {
              "lessThan": "6.0.13",
              "status": "affected",
              "version": "6.0.x",
              "versionType": "Enterprise Support Only"
            },
            {
              "lessThan": "6.1.11",
              "status": "affected",
              "version": "6.1.x",
              "versionType": "Enterprise Support Only"
            },
            {
              "lessThan": "6.2.7",
              "status": "affected",
              "version": "6.2.x",
              "versionType": "OSS"
            },
            {
              "lessThan": "6.3.4",
              "status": "affected",
              "version": "6.3.x",
              "versionType": "OSS"
            }
          ]
        }
      ],
      "datePublic": "2024-10-22T05:34:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eSpring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances.\u003c/p\u003e\u003cp\u003eFor this to impact an application, all of the following must be true:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIt must be a WebFlux application\u003c/li\u003e\u003cli\u003eIt must be using Spring\u0027s static resources support\u003c/li\u003e\u003cli\u003eIt must have a non-permitAll authorization rule applied to the static resources support\u003c/li\u003e\u003c/ul\u003e\u003cbr\u003e"
            }
          ],
          "value": "Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances.\n\nFor this to impact an application, all of the following must be true:\n\n  *  It must be a WebFlux application\n  *  It must be using Spring\u0027s static resources support\n  *  It must have a non-permitAll authorization rule applied to the static resources support"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-10-28T07:06:13.404Z",
        "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
        "shortName": "vmware"
      },
      "references": [
        {
          "url": "https://spring.io/security/cve-2024-38821"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Authorization Bypass of Static Resources in WebFlux Applications",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
    "assignerShortName": "vmware",
    "cveId": "CVE-2024-38821",
    "datePublished": "2024-10-28T07:06:13.404Z",
    "dateReserved": "2024-06-19T22:32:06.583Z",
    "dateUpdated": "2025-01-24T20:03:04.932Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-38821\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-10-28T12:31:35.974420Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:spring:webflux:*:*:*:*:*:*:*:*\"], \"vendor\": \"spring\", \"product\": \"webflux\", \"versions\": [{\"status\": \"affected\", \"version\": \"5.7.x\", \"lessThan\": \"5.7.13\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"5.8x\", \"lessThan\": \"5.8.15\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"6.0x\", \"lessThan\": \"6.0.13\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"6.1x\", \"lessThan\": \"6.1.11\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"6.2x\", \"lessThan\": \"6.2.7\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"6.3x\", \"lessThan\": \"6.3.4\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-770\", \"description\": \"CWE-770 Allocation of Resources Without Limits or Throttling\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-10-28T12:37:58.707Z\"}}], \"cna\": {\"title\": \"Authorization Bypass of Static Resources in WebFlux Applications\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Spring\", \"product\": \"Spring\", \"versions\": [{\"status\": \"affected\", \"version\": \"5.7.x\", \"lessThan\": \"5.7.13\", \"versionType\": \"Enterprise Support Only\"}, {\"status\": \"affected\", \"version\": \"5.8.x\", \"lessThan\": \"5.8.15\", \"versionType\": \"Enterprise Support Only\"}, {\"status\": \"affected\", \"version\": \"6.0.x\", \"lessThan\": \"6.0.13\", \"versionType\": \"Enterprise Support Only\"}, {\"status\": \"affected\", \"version\": \"6.1.x\", \"lessThan\": \"6.1.11\", \"versionType\": \"Enterprise Support Only\"}, {\"status\": \"affected\", \"version\": \"6.2.x\", \"lessThan\": \"6.2.7\", \"versionType\": \"OSS\"}, {\"status\": \"affected\", \"version\": \"6.3.x\", \"lessThan\": \"6.3.4\", \"versionType\": \"OSS\"}], \"packageName\": \"Spring Security\", \"defaultStatus\": \"affected\"}], \"datePublic\": \"2024-10-22T05:34:00.000Z\", \"references\": [{\"url\": \"https://spring.io/security/cve-2024-38821\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances.\\n\\nFor this to impact an application, all of the following must be true:\\n\\n  *  It must be a WebFlux application\\n  *  It must be using Spring\u0027s static resources support\\n  *  It must have a non-permitAll authorization rule applied to the static resources support\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eSpring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances.\u003c/p\u003e\u003cp\u003eFor this to impact an application, all of the following must be true:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIt must be a WebFlux application\u003c/li\u003e\u003cli\u003eIt must be using Spring\u0027s static resources support\u003c/li\u003e\u003cli\u003eIt must have a non-permitAll authorization rule applied to the static resources support\u003c/li\u003e\u003c/ul\u003e\u003cbr\u003e\", \"base64\": false}]}], \"providerMetadata\": {\"orgId\": \"dcf2e128-44bd-42ed-91e8-88f912c1401d\", \"shortName\": \"vmware\", \"dateUpdated\": \"2024-10-28T07:06:13.404Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-38821\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-11-01T03:55:20.442Z\", \"dateReserved\": \"2024-06-19T22:32:06.583Z\", \"assignerOrgId\": \"dcf2e128-44bd-42ed-91e8-88f912c1401d\", \"datePublished\": \"2024-10-28T07:06:13.404Z\", \"assignerShortName\": \"vmware\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

CERTFR-2025-AVI-0924

Vulnerability from certfr_avis

De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à la confidentialité des données.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
IBM	Db2	DB2 Data Management Console versions antérieures à 3.1.13
IBM	Security QRadar Network Threat	Security QRadar Network Threat Analytics versions antérieures à 1.4.1
IBM	Security QRadar Log Management AQL	Greffon Security QRadar Log Management AQL versions antérieures à 1.1.3
IBM	Sterling Control Center	Sterling Control Center versions 6.4.0.x antérieures à 6.4.0.0 iFix02
IBM	Spectrum	Spectrum Symphony versions antérieures à 7.3.2 sans le correctif 602717
IBM	Sterling Control Center	Sterling Control Center versions 6.3.1.x antérieures à 6.3.1.0 iFix05
IBM	Sterling Connect:Direct	Sterling Connect:Direct Web Services 6.4.x antérieures à 6.4.0.4
IBM	Sterling Connect:Direct	Sterling Connect:Direct Web Services versions 6.2.x antérieures à 6.2.0.29
IBM	Sterling Connect:Direct	Sterling Connect:Direct Web Services 6.3.x antérieures à 6.3.0.15

References

Title

Publication Time

Tags

Bulletin de sécurité IBM 7248583	2025-10-21	vendor-advisory
Bulletin de sécurité IBM 7248935	2025-10-23	vendor-advisory
Bulletin de sécurité IBM 7249065	2025-10-24	vendor-advisory
Bulletin de sécurité IBM 7249063	2025-10-24	vendor-advisory
Bulletin de sécurité IBM 7249064	2025-10-24	vendor-advisory
Bulletin de sécurité IBM 7249062	2025-10-24	vendor-advisory
Bulletin de sécurité IBM 7249013	2025-10-23	vendor-advisory
Bulletin de sécurité IBM 7248293	2025-10-17	vendor-advisory
Bulletin de sécurité IBM 7248548	2025-10-20	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "DB2 Data Management Console versions ant\u00e9rieures \u00e0 3.1.13",
      "product": {
        "name": "Db2",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Security QRadar Network Threat Analytics versions ant\u00e9rieures \u00e0 1.4.1",
      "product": {
        "name": "Security QRadar Network Threat",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Greffon Security QRadar Log Management AQL versions ant\u00e9rieures \u00e0 1.1.3",
      "product": {
        "name": "Security QRadar Log Management AQL",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Sterling Control Center versions 6.4.0.x ant\u00e9rieures \u00e0 6.4.0.0 iFix02",
      "product": {
        "name": "Sterling Control Center",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Spectrum Symphony versions ant\u00e9rieures \u00e0 7.3.2 sans le correctif 602717",
      "product": {
        "name": "Spectrum",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Sterling Control Center versions 6.3.1.x ant\u00e9rieures \u00e0 6.3.1.0 iFix05",
      "product": {
        "name": "Sterling Control Center",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Sterling Connect:Direct Web Services 6.4.x ant\u00e9rieures \u00e0 6.4.0.4",
      "product": {
        "name": "Sterling Connect:Direct",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Sterling Connect:Direct Web Services versions 6.2.x ant\u00e9rieures \u00e0 6.2.0.29",
      "product": {
        "name": "Sterling Connect:Direct",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Sterling Connect:Direct Web Services 6.3.x ant\u00e9rieures \u00e0 6.3.0.15",
      "product": {
        "name": "Sterling Connect:Direct",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2025-4447",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-4447"
    },
    {
      "name": "CVE-2024-55565",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-55565"
    },
    {
      "name": "CVE-2024-47076",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-47076"
    },
    {
      "name": "CVE-2024-47177",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-47177"
    },
    {
      "name": "CVE-2023-50312",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-50312"
    },
    {
      "name": "CVE-2025-22228",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-22228"
    },
    {
      "name": "CVE-2025-48050",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-48050"
    },
    {
      "name": "CVE-2024-38819",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-38819"
    },
    {
      "name": "CVE-2024-22243",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-22243"
    },
    {
      "name": "CVE-2024-29857",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-29857"
    },
    {
      "name": "CVE-2025-58057",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-58057"
    },
    {
      "name": "CVE-2024-25026",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-25026"
    },
    {
      "name": "CVE-2024-22262",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-22262"
    },
    {
      "name": "CVE-2024-45338",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-45338"
    },
    {
      "name": "CVE-2025-48068",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-48068"
    },
    {
      "name": "CVE-2024-22329",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-22329"
    },
    {
      "name": "CVE-2024-53382",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-53382"
    },
    {
      "name": "CVE-2024-45296",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-45296"
    },
    {
      "name": "CVE-2024-45801",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-45801"
    },
    {
      "name": "CVE-2025-21587",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-21587"
    },
    {
      "name": "CVE-2023-51775",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-51775"
    },
    {
      "name": "CVE-2024-27268",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-27268"
    },
    {
      "name": "CVE-2024-47535",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-47535"
    },
    {
      "name": "CVE-2025-30698",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-30698"
    },
    {
      "name": "CVE-2024-38821",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-38821"
    },
    {
      "name": "CVE-2025-26791",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-26791"
    },
    {
      "name": "CVE-2025-41232",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-41232"
    },
    {
      "name": "CVE-2025-23184",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-23184"
    },
    {
      "name": "CVE-2025-29927",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-29927"
    },
    {
      "name": "CVE-2025-25193",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-25193"
    },
    {
      "name": "CVE-2024-47176",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-47176"
    },
    {
      "name": "CVE-2024-27270",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-27270"
    },
    {
      "name": "CVE-2025-22870",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-22870"
    },
    {
      "name": "CVE-2025-22235",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-22235"
    },
    {
      "name": "CVE-2025-27789",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-27789"
    },
    {
      "name": "CVE-2025-2900",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-2900"
    },
    {
      "name": "CVE-2024-22259",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-22259"
    },
    {
      "name": "CVE-2025-27363",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-27363"
    },
    {
      "name": "CVE-2023-50314",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-50314"
    },
    {
      "name": "CVE-2025-30153",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-30153"
    },
    {
      "name": "CVE-2024-22354",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-22354"
    },
    {
      "name": "CVE-2024-47175",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-47175"
    },
    {
      "name": "CVE-2023-23916",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23916"
    },
    {
      "name": "CVE-2025-48734",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-48734"
    }
  ],
  "initial_release_date": "2025-10-24T00:00:00",
  "last_revision_date": "2025-10-24T00:00:00",
  "links": [],
  "reference": "CERTFR-2025-AVI-0924",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2025-10-24T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
    },
    {
      "description": "Falsification de requ\u00eates c\u00f4t\u00e9 serveur (SSRF)"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits IBM. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
  "vendor_advisories": [
    {
      "published_at": "2025-10-21",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7248583",
      "url": "https://www.ibm.com/support/pages/node/7248583"
    },
    {
      "published_at": "2025-10-23",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7248935",
      "url": "https://www.ibm.com/support/pages/node/7248935"
    },
    {
      "published_at": "2025-10-24",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7249065",
      "url": "https://www.ibm.com/support/pages/node/7249065"
    },
    {
      "published_at": "2025-10-24",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7249063",
      "url": "https://www.ibm.com/support/pages/node/7249063"
    },
    {
      "published_at": "2025-10-24",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7249064",
      "url": "https://www.ibm.com/support/pages/node/7249064"
    },
    {
      "published_at": "2025-10-24",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7249062",
      "url": "https://www.ibm.com/support/pages/node/7249062"
    },
    {
      "published_at": "2025-10-23",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7249013",
      "url": "https://www.ibm.com/support/pages/node/7249013"
    },
    {
      "published_at": "2025-10-17",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7248293",
      "url": "https://www.ibm.com/support/pages/node/7248293"
    },
    {
      "published_at": "2025-10-20",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7248548",
      "url": "https://www.ibm.com/support/pages/node/7248548"
    }
  ]
}

CERTFR-2025-AVI-1131

Vulnerability from certfr_avis

De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et un déni de service à distance.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
IBM	Db2 Warehouse	Db2 Warehouse on Cloud Pak for Data versions antérieures à 5.3.0
IBM	QRadar SIEM	QRadar SIEM versions 7.5.0 versions antérieures à 7.5.0 UP14 IF03
IBM	Sterling Connect:Direct	Sterling Connect:Direct Web Services versions 6.3.0.x antérieures à 6.3.0.16
IBM	QRadar	QRadar Suite Software versions 1.11.x antérieures à 1.11.8.0
IBM	Sterling Connect:Direct	Sterling Connect:Direct Web Services versions 6.4.0.x antérieures à 6.4.0.5
IBM	Sterling Partner Engagement Manager Standard Edition	Sterling Partner Engagement Manager Standard Edition versions 6.2.4.x antérieures à 6.2.4.5
IBM	Sterling Partner Engagement Manager Standard Edition	Sterling Partner Engagement Manager Standard Edition versions 6.2.3.x antérieures à 6.2.3.5
IBM	Db2	Db2 on Cloud Pak for Data versions antérieures à 5.3.0
IBM	Cognos Dashboards	Cognos Dashboards on Cloud Pak for Data versions 5.x antérieures à 5.3
IBM	Db2	Db2 Intelligence Center versions 1.1.x antérieures à 1.1.3.0
IBM	Sterling Partner Engagement Manager Essentials Edition	Sterling Partner Engagement Manager Essentials Edition versions 6.2.4.x antérieures à 6.2.4.2
IBM	Sterling Partner Engagement Manager Essentials Edition	Sterling Partner Engagement Manager Essentials Edition versions 6.2.3.x antérieures à 6.2.3.5

References

Title

Publication Time

Tags

Bulletin de sécurité IBM 7252732	2025-12-15	vendor-advisory
Bulletin de sécurité IBM 7254815	2025-12-15	vendor-advisory
Bulletin de sécurité IBM 7255060	2025-12-17	vendor-advisory
Bulletin de sécurité IBM 7255154	2025-12-17	vendor-advisory
Bulletin de sécurité IBM 7255095	2025-12-17	vendor-advisory
Bulletin de sécurité IBM 7254849	2025-12-16	vendor-advisory
Bulletin de sécurité IBM 7254850	2025-12-16	vendor-advisory
Bulletin de sécurité IBM 7255160	2025-12-17	vendor-advisory
Bulletin de sécurité IBM 7255065	2025-12-17	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Db2 Warehouse on Cloud Pak for Data versions ant\u00e9rieures \u00e0 5.3.0",
      "product": {
        "name": "Db2 Warehouse",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "QRadar SIEM versions 7.5.0 versions ant\u00e9rieures \u00e0 7.5.0 UP14 IF03",
      "product": {
        "name": "QRadar SIEM",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Sterling Connect:Direct Web Services versions 6.3.0.x ant\u00e9rieures \u00e0 6.3.0.16",
      "product": {
        "name": "Sterling Connect:Direct",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "QRadar Suite Software versions 1.11.x ant\u00e9rieures \u00e0 1.11.8.0",
      "product": {
        "name": "QRadar",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Sterling Connect:Direct Web Services versions 6.4.0.x ant\u00e9rieures \u00e0 6.4.0.5",
      "product": {
        "name": "Sterling Connect:Direct",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Sterling Partner Engagement Manager Standard Edition versions 6.2.4.x ant\u00e9rieures \u00e0 6.2.4.5 ",
      "product": {
        "name": "Sterling Partner Engagement Manager Standard Edition",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Sterling Partner Engagement Manager Standard Edition versions 6.2.3.x ant\u00e9rieures \u00e0 6.2.3.5 ",
      "product": {
        "name": "Sterling Partner Engagement Manager Standard Edition",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Db2 on Cloud Pak for Data versions ant\u00e9rieures \u00e0 5.3.0",
      "product": {
        "name": "Db2",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Cognos Dashboards on Cloud Pak for Data versions 5.x ant\u00e9rieures \u00e0 5.3",
      "product": {
        "name": "Cognos Dashboards",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Db2 Intelligence Center versions 1.1.x ant\u00e9rieures \u00e0 1.1.3.0",
      "product": {
        "name": "Db2",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Sterling Partner Engagement Manager Essentials Edition versions 6.2.4.x ant\u00e9rieures \u00e0 6.2.4.2",
      "product": {
        "name": "Sterling Partner Engagement Manager Essentials Edition",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Sterling Partner Engagement Manager Essentials Edition versions 6.2.3.x ant\u00e9rieures \u00e0 6.2.3.5",
      "product": {
        "name": "Sterling Partner Engagement Manager Essentials Edition",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2025-6395",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-6395"
    },
    {
      "name": "CVE-2025-2534",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-2534"
    },
    {
      "name": "CVE-2023-1370",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-1370"
    },
    {
      "name": "CVE-2025-4447",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-4447"
    },
    {
      "name": "CVE-2024-38286",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-38286"
    },
    {
      "name": "CVE-2025-8941",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-8941"
    },
    {
      "name": "CVE-2021-26272",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-26272"
    },
    {
      "name": "CVE-2025-41234",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-41234"
    },
    {
      "name": "CVE-2025-39761",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-39761"
    },
    {
      "name": "CVE-2024-49350",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-49350"
    },
    {
      "name": "CVE-2025-39883",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-39883"
    },
    {
      "name": "CVE-2025-36131",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-36131"
    },
    {
      "name": "CVE-2025-0913",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-0913"
    },
    {
      "name": "CVE-2025-47907",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-47907"
    },
    {
      "name": "CVE-2024-12797",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-12797"
    },
    {
      "name": "CVE-2025-30065",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-30065"
    },
    {
      "name": "CVE-2024-47118",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-47118"
    },
    {
      "name": "CVE-2021-2341",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-2341"
    },
    {
      "name": "CVE-2022-45061",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-45061"
    },
    {
      "name": "CVE-2022-30635",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-30635"
    },
    {
      "name": "CVE-2021-47621",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-47621"
    },
    {
      "name": "CVE-2025-24970",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-24970"
    },
    {
      "name": "CVE-2022-21299",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-21299"
    },
    {
      "name": "CVE-2024-45341",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-45341"
    },
    {
      "name": "CVE-2025-7962",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-7962"
    },
    {
      "name": "CVE-2025-61912",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-61912"
    },
    {
      "name": "CVE-2022-21305",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-21305"
    },
    {
      "name": "CVE-2025-55198",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-55198"
    },
    {
      "name": "CVE-2025-5372",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-5372"
    },
    {
      "name": "CVE-2025-58057",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-58057"
    },
    {
      "name": "CVE-2022-25927",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-25927"
    },
    {
      "name": "CVE-2024-26308",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-26308"
    },
    {
      "name": "CVE-2025-1992",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-1992"
    },
    {
      "name": "CVE-2024-34158",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-34158"
    },
    {
      "name": "CVE-2025-30754",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-30754"
    },
    {
      "name": "CVE-2025-22233",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-22233"
    },
    {
      "name": "CVE-2025-36136",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-36136"
    },
    {
      "name": "CVE-2025-38724",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-38724"
    },
    {
      "name": "CVE-2020-9493",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9493"
    },
    {
      "name": "CVE-2025-36008",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-36008"
    },
    {
      "name": "CVE-2024-38820",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-38820"
    },
    {
      "name": "CVE-2025-47906",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-47906"
    },
    {
      "name": "CVE-2025-39718",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-39718"
    },
    {
      "name": "CVE-2025-59375",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-59375"
    },
    {
      "name": "CVE-2024-23454",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-23454"
    },
    {
      "name": "CVE-2022-3510",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-3510"
    },
    {
      "name": "CVE-2022-3509",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-3509"
    },
    {
      "name": "CVE-2025-58188",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-58188"
    },
    {
      "name": "CVE-2025-36006",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-36006"
    },
    {
      "name": "CVE-2023-34055",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-34055"
    },
    {
      "name": "CVE-2025-36186",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-36186"
    },
    {
      "name": "CVE-2025-55182",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-55182"
    },
    {
      "name": "CVE-2025-38079",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-38079"
    },
    {
      "name": "CVE-2025-6493",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-6493"
    },
    {
      "name": "CVE-2025-6020",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-6020"
    },
    {
      "name": "CVE-2021-2369",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-2369"
    },
    {
      "name": "CVE-2025-22868",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-22868"
    },
    {
      "name": "CVE-2025-33012",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-33012"
    },
    {
      "name": "CVE-2024-56337",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-56337"
    },
    {
      "name": "CVE-2025-5187",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-5187"
    },
    {
      "name": "CVE-2025-61723",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-61723"
    },
    {
      "name": "CVE-2025-41235",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-41235"
    },
    {
      "name": "CVE-2025-21587",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-21587"
    },
    {
      "name": "CVE-2023-53539",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-53539"
    },
    {
      "name": "CVE-2024-25710",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-25710"
    },
    {
      "name": "CVE-2024-7254",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-7254"
    },
    {
      "name": "CVE-2025-61725",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-61725"
    },
    {
      "name": "CVE-2021-2388",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-2388"
    },
    {
      "name": "CVE-2025-39955",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-39955"
    },
    {
      "name": "CVE-2025-32990",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-32990"
    },
    {
      "name": "CVE-2025-2518",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-2518"
    },
    {
      "name": "CVE-2024-41946",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-41946"
    },
    {
      "name": "CVE-2022-21365",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-21365"
    },
    {
      "name": "CVE-2025-32989",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-32989"
    },
    {
      "name": "CVE-2024-38827",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-38827"
    },
    {
      "name": "CVE-2025-38292",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-38292"
    },
    {
      "name": "CVE-2025-50059",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-50059"
    },
    {
      "name": "CVE-2025-55199",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-55199"
    },
    {
      "name": "CVE-2024-34156",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-34156"
    },
    {
      "name": "CVE-2018-10237",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-10237"
    },
    {
      "name": "CVE-2025-59250",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-59250"
    },
    {
      "name": "CVE-2025-1493",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-1493"
    },
    {
      "name": "CVE-2025-30761",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-30761"
    },
    {
      "name": "CVE-2024-47535",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-47535"
    },
    {
      "name": "CVE-2025-3050",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-3050"
    },
    {
      "name": "CVE-2022-21294",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-21294"
    },
    {
      "name": "CVE-2025-1767",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-1767"
    },
    {
      "name": "CVE-2021-26271",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-26271"
    },
    {
      "name": "CVE-2025-30698",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-30698"
    },
    {
      "name": "CVE-2024-38821",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-38821"
    },
    {
      "name": "CVE-2025-58187",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-58187"
    },
    {
      "name": "CVE-2025-39825",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-39825"
    },
    {
      "name": "CVE-2025-22871",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-22871"
    },
    {
      "name": "CVE-2025-32988",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-32988"
    },
    {
      "name": "CVE-2024-34750",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-34750"
    },
    {
      "name": "CVE-2022-21341",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-21341"
    },
    {
      "name": "CVE-2023-53401",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-53401"
    },
    {
      "name": "CVE-2025-47913",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-47913"
    },
    {
      "name": "CVE-2020-8908",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-8908"
    },
    {
      "name": "CVE-2025-24294",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-24294"
    },
    {
      "name": "CVE-2025-0915",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-0915"
    },
    {
      "name": "CVE-2022-21340",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-21340"
    },
    {
      "name": "CVE-2022-21293",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-21293"
    },
    {
      "name": "CVE-2025-38351",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-38351"
    },
    {
      "name": "CVE-2025-25193",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-25193"
    },
    {
      "name": "CVE-2024-52903",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-52903"
    },
    {
      "name": "CVE-2022-21282",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-21282"
    },
    {
      "name": "CVE-2022-21349",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-21349"
    },
    {
      "name": "CVE-2025-32415",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-32415"
    },
    {
      "name": "CVE-2025-46653",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-46653"
    },
    {
      "name": "CVE-2025-22235",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-22235"
    },
    {
      "name": "CVE-2021-28861",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-28861"
    },
    {
      "name": "CVE-2022-21248",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-21248"
    },
    {
      "name": "CVE-2018-14721",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-14721"
    },
    {
      "name": "CVE-2025-32414",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-32414"
    },
    {
      "name": "CVE-2025-2900",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-2900"
    },
    {
      "name": "CVE-2025-0426",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-0426"
    },
    {
      "name": "CVE-2020-9281",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9281"
    },
    {
      "name": "CVE-2024-50301",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-50301"
    },
    {
      "name": "CVE-2023-2976",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-2976"
    },
    {
      "name": "CVE-2025-1000",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-1000"
    },
    {
      "name": "CVE-2022-3697",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-3697"
    },
    {
      "name": "CVE-2025-8058",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-8058"
    },
    {
      "name": "CVE-2023-53513",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-53513"
    },
    {
      "name": "CVE-2025-33134",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-33134"
    },
    {
      "name": "CVE-2024-50379",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-50379"
    },
    {
      "name": "CVE-2025-5914",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-5914"
    },
    {
      "name": "CVE-2023-39804",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-39804"
    },
    {
      "name": "CVE-2025-58754",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-58754"
    },
    {
      "name": "CVE-2025-53057",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-53057"
    },
    {
      "name": "CVE-2022-3171",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-3171"
    },
    {
      "name": "CVE-2024-22354",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-22354"
    },
    {
      "name": "CVE-2024-34155",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-34155"
    },
    {
      "name": "CVE-2024-41123",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-41123"
    },
    {
      "name": "CVE-2025-6442",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-6442"
    },
    {
      "name": "CVE-2025-53066",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-53066"
    },
    {
      "name": "CVE-2022-50543",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-50543"
    },
    {
      "name": "CVE-2025-22227",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-22227"
    },
    {
      "name": "CVE-2025-47273",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-47273"
    },
    {
      "name": "CVE-2022-21360",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-21360"
    },
    {
      "name": "CVE-2025-61911",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-61911"
    },
    {
      "name": "CVE-2022-21296",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-21296"
    },
    {
      "name": "CVE-2025-14687",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-14687"
    },
    {
      "name": "CVE-2016-1000027",
      "url": "https://www.cve.org/CVERecord?id=CVE-2016-1000027"
    },
    {
      "name": "CVE-2025-47287",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-47287"
    },
    {
      "name": "CVE-2024-49761",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-49761"
    },
    {
      "name": "CVE-2024-57699",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-57699"
    },
    {
      "name": "CVE-2025-36185",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-36185"
    },
    {
      "name": "CVE-2025-48734",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-48734"
    }
  ],
  "initial_release_date": "2025-12-19T00:00:00",
  "last_revision_date": "2025-12-19T00:00:00",
  "links": [],
  "reference": "CERTFR-2025-AVI-1131",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2025-12-19T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
    },
    {
      "description": "Falsification de requ\u00eates c\u00f4t\u00e9 serveur (SSRF)"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits IBM. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une \u00e9l\u00e9vation de privil\u00e8ges et un d\u00e9ni de service \u00e0 distance.",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
  "vendor_advisories": [
    {
      "published_at": "2025-12-15",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7252732",
      "url": "https://www.ibm.com/support/pages/node/7252732"
    },
    {
      "published_at": "2025-12-15",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7254815",
      "url": "https://www.ibm.com/support/pages/node/7254815"
    },
    {
      "published_at": "2025-12-17",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7255060",
      "url": "https://www.ibm.com/support/pages/node/7255060"
    },
    {
      "published_at": "2025-12-17",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7255154",
      "url": "https://www.ibm.com/support/pages/node/7255154"
    },
    {
      "published_at": "2025-12-17",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7255095",
      "url": "https://www.ibm.com/support/pages/node/7255095"
    },
    {
      "published_at": "2025-12-16",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7254849",
      "url": "https://www.ibm.com/support/pages/node/7254849"
    },
    {
      "published_at": "2025-12-16",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7254850",
      "url": "https://www.ibm.com/support/pages/node/7254850"
    },
    {
      "published_at": "2025-12-17",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7255160",
      "url": "https://www.ibm.com/support/pages/node/7255160"
    },
    {
      "published_at": "2025-12-17",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7255065",
      "url": "https://www.ibm.com/support/pages/node/7255065"
    }
  ]
}

CERTFR-2024-AVI-0914

Vulnerability from certfr_avis

Une vulnérabilité a été découverte dans les produits Spring. Elle permet à un attaquant de provoquer un contournement de la politique de sécurité.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

L'éditeur précise que les vulnérabilités affectent uniquement les configurations qui respectent les conditions suivantes : * Application Webflux * Utilisation du support des ressources statiques proposé par Spring * Utilisation d'une règle d'autorisation non-permitAll appliquée sur les ressources statiques

Impacted products

Vendor	Product	Description
Spring	Spring Framework	Spring versions 6.2.x antérieures à 6.2.7
Spring	Spring Framework	Spring versions 5.7.x antérieures à 5.7.13
Spring	Spring Framework	Spring versions 6.0.x antérieures à 6.0.13
Spring	Spring Framework	Spring versions 6.1.x antérieures à 6.1.11
Spring	Spring Framework	Spring versions 6.3.x antérieures à 6.3.4
Spring	Spring Framework	Spring versions 5.8.x antérieures à 5.8.15

References

Title

Publication Time

Tags

Bulletin de sécurité Spring cve-2024-38821

2024-10-22

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Spring versions 6.2.x ant\u00e9rieures \u00e0 6.2.7",
      "product": {
        "name": "Spring Framework",
        "vendor": {
          "name": "Spring",
          "scada": false
        }
      }
    },
    {
      "description": "Spring versions 5.7.x ant\u00e9rieures \u00e0 5.7.13",
      "product": {
        "name": "Spring Framework",
        "vendor": {
          "name": "Spring",
          "scada": false
        }
      }
    },
    {
      "description": "Spring versions 6.0.x ant\u00e9rieures \u00e0 6.0.13",
      "product": {
        "name": "Spring Framework",
        "vendor": {
          "name": "Spring",
          "scada": false
        }
      }
    },
    {
      "description": "Spring versions 6.1.x ant\u00e9rieures \u00e0 6.1.11",
      "product": {
        "name": "Spring Framework",
        "vendor": {
          "name": "Spring",
          "scada": false
        }
      }
    },
    {
      "description": "Spring versions 6.3.x ant\u00e9rieures \u00e0 6.3.4",
      "product": {
        "name": "Spring Framework",
        "vendor": {
          "name": "Spring",
          "scada": false
        }
      }
    },
    {
      "description": "Spring versions 5.8.x ant\u00e9rieures \u00e0 5.8.15",
      "product": {
        "name": "Spring Framework",
        "vendor": {
          "name": "Spring",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "L\u0027\u00e9diteur pr\u00e9cise que les vuln\u00e9rabilit\u00e9s affectent uniquement les configurations qui respectent les conditions suivantes :\n* Application Webflux\n* Utilisation du support des ressources statiques propos\u00e9 par Spring\n* Utilisation d\u0027une r\u00e8gle d\u0027autorisation *non-permitAll* appliqu\u00e9e sur les ressources statiques",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2024-38821",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-38821"
    }
  ],
  "initial_release_date": "2024-10-23T00:00:00",
  "last_revision_date": "2024-10-23T00:00:00",
  "links": [],
  "reference": "CERTFR-2024-AVI-0914",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2024-10-23T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans les produits Spring. Elle permet \u00e0 un attaquant de provoquer un contournement de la politique de s\u00e9curit\u00e9.",
  "title": "Vuln\u00e9rabilit\u00e9 dans les produits Spring",
  "vendor_advisories": [
    {
      "published_at": "2024-10-22",
      "title": "Bulletin de s\u00e9curit\u00e9 Spring cve-2024-38821",
      "url": "https://spring.io/security/cve-2024-38821"
    }
  ]
}

CERTFR-2025-AVI-0215

Vulnerability from certfr_avis

De multiples vulnérabilités ont été découvertes dans les produits VMware. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et un contournement de la politique de sécurité.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

	Vendor	Product	Description
	VMware	Tanzu	Tanzu Gemfire Management Console versions antérieures à 1.3.1

References

Title

Publication Time

Tags

Bulletin de sécurité VMware 25509

2025-03-14

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Tanzu Gemfire Management Console versions ant\u00e9rieures \u00e0 1.3.1",
      "product": {
        "name": "Tanzu",
        "vendor": {
          "name": "VMware",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2024-24790",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-24790"
    },
    {
      "name": "CVE-2024-38286",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-38286"
    },
    {
      "name": "CVE-2024-45772",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-45772"
    },
    {
      "name": "CVE-2025-24970",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-24970"
    },
    {
      "name": "CVE-2024-24791",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-24791"
    },
    {
      "name": "CVE-2024-22243",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-22243"
    },
    {
      "name": "CVE-2024-29857",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-29857"
    },
    {
      "name": "CVE-2024-34447",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-34447"
    },
    {
      "name": "CVE-2024-29025",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-29025"
    },
    {
      "name": "CVE-2024-34158",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-34158"
    },
    {
      "name": "CVE-2024-22262",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-22262"
    },
    {
      "name": "CVE-2024-38809",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-38809"
    },
    {
      "name": "CVE-2024-30172",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-30172"
    },
    {
      "name": "CVE-2024-36124",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-36124"
    },
    {
      "name": "CVE-2024-23672",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-23672"
    },
    {
      "name": "CVE-2024-8184",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-8184"
    },
    {
      "name": "CVE-2024-56337",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-56337"
    },
    {
      "name": "CVE-2024-6763",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-6763"
    },
    {
      "name": "CVE-2024-38827",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-38827"
    },
    {
      "name": "CVE-2024-34156",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-34156"
    },
    {
      "name": "CVE-2024-47535",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-47535"
    },
    {
      "name": "CVE-2023-52428",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-52428"
    },
    {
      "name": "CVE-2024-38821",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-38821"
    },
    {
      "name": "CVE-2024-34750",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-34750"
    },
    {
      "name": "CVE-2024-38828",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-38828"
    },
    {
      "name": "CVE-2024-24549",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-24549"
    },
    {
      "name": "CVE-2024-38808",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-38808"
    },
    {
      "name": "CVE-2025-25193",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-25193"
    },
    {
      "name": "CVE-2024-30171",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-30171"
    },
    {
      "name": "CVE-2024-22259",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-22259"
    },
    {
      "name": "CVE-2024-22257",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-22257"
    },
    {
      "name": "CVE-2024-50379",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-50379"
    },
    {
      "name": "CVE-2024-38816",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-38816"
    },
    {
      "name": "CVE-2024-52317",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-52317"
    },
    {
      "name": "CVE-2024-34155",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-34155"
    },
    {
      "name": "CVE-2024-32473",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-32473"
    },
    {
      "name": "CVE-2024-24789",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-24789"
    }
  ],
  "initial_release_date": "2025-03-17T00:00:00",
  "last_revision_date": "2025-03-17T00:00:00",
  "links": [],
  "reference": "CERTFR-2025-AVI-0215",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2025-03-17T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits VMware. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance et un contournement de la politique de s\u00e9curit\u00e9.",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans VMware Tanzu Gemfire",
  "vendor_advisories": [
    {
      "published_at": "2025-03-14",
      "title": "Bulletin de s\u00e9curit\u00e9 VMware 25509",
      "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25509"
    }
  ]
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2024-38821 (GCVE-0-2024-38821)

Vulnerability from cvelistv5

CERTFR-2025-AVI-0924

Vulnerability from certfr_avis

Solutions

CERTFR-2025-AVI-1131

Vulnerability from certfr_avis

Solutions

CERTFR-2024-AVI-0914

Vulnerability from certfr_avis

Solutions

CERTFR-2025-AVI-0215

Vulnerability from certfr_avis

Solutions

Tags

Sightings

Nomenclature