Two Critical Vulnerabilities in Multiple IBM Products (CVE-2024-39705, CVE-2024-27307)

Published On: Mar 03, 2025 12:17

Advisory No: TZCERT-SA-25-0063

Source: IBM

Software Affected: nltk, jsonata-js

Overview

IBM products are vulnerable to critical vulnerabilities. Exploitation of these vulnerabilities may allow an unauthenticated attacker to execute arbitrary code.

Description

Multiple IBM products depending on nltk, and jsonata-js are affected by the vulnerabilities tracked as CVE-2024-39705, and CVE-2024-27307 with CVSS scores of 9.8 each. The plugins are vulnerable due to flaw when untrusted packages have pickled Python code, and the integrated data package download functionality is used and prototype pollution flaw in the JSONata expressions. The vulnerability allows attackers to send a specially crafted request to execute arbitrary code or cause a denial-of-service condition on the system.

Impact

Successful exploitation of these vulnerabilities may allow the attackers to take control of affected system.

Solution

IBM has released security patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.

Subscribe To TZ - CERT Newsletter

A digest of Tanzania Computer Emergency Response Team coverage of cyber-security news across the globe.

Subscribe
Report Incident