Critical Vulnerabilities in IBM products (CVE-2024-41110, CVE-2024-39705)

Imechapishwa: Nov 15, 2024 15:46

Advisory No: TZCERT-SA-24-0045

Source: IBM

Software Affected: Moby, Natural Language Toolkit (NLTK)

Overview

Multiple IBM products are vulnerable to critical vulnerabilities. A remote attacker can exploit these vulnerabilities to execute arbitrary code.

Description

IBM products depending on Moby, and NLTK are affected by critical vulnerabilities tracked as CVE-2024-41110, and CVE-2024-39705 with CVSS base scores of 9.9 and 9.8 respectively. The vulnerabilities result when an untrusted package have pickled Python code, and the integrated data package download functionality is used, and when Engine API client could make the daemon forward the request or response to an authorization plugin without the body. The attacker can exploit these vulnerabilities by sending a specially crafted request to bypass authorization plugins and execute arbitrary code on affected system.

Impact

Successful exploitation of these vulnerabilities may allow the attacker to take control of the affected system.

Solution

IBM has released security patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.

Subscribe To TZ - CERT Newsletter

A digest of Tanzania Computer Emergency Response Team coverage of cyber-security news across the globe.

Subscribe
Ripoti Tukio