Published On: Mar 03, 2025 12:17
Advisory No: TZCERT-SA-25-0063
Source: IBM
Software Affected: nltk, jsonata-js
IBM products are vulnerable to critical vulnerabilities. Exploitation of these vulnerabilities may allow an unauthenticated attacker to execute arbitrary code.
Multiple IBM products depending on nltk, and jsonata-js are affected by the vulnerabilities tracked as CVE-2024-39705, and CVE-2024-27307 with CVSS scores of 9.8 each. The plugins are vulnerable due to flaw when untrusted packages have pickled Python code, and the integrated data package download functionality is used and prototype pollution flaw in the JSONata expressions. The vulnerability allows attackers to send a specially crafted request to execute arbitrary code or cause a denial-of-service condition on the system.
Successful exploitation of these vulnerabilities may allow the attackers to take control of affected system.
IBM has released security patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.
A digest of Tanzania Computer Emergency Response Team coverage of cyber-security news across the globe.