Summary There are vulnerabilities in multiple Open Source Software (OSS) components consumed by IBM Planning Analytics Workspace. These issues have been addressed by upgrading or removing the vulnerable libraries. Additionally, two Malicious File Upload vulnerabilities have been addressed. Please refer to the table in the Related Information section for vulnerability impact. This Security Bulletin relates only to the direct usage of third-party components by IBM Planning Analytics Workspace, and not any nested dependencies within the product. Vulnerability Details CVEID:CVE-2024-25034 DESCRIPTION: IBM Planning Analytics could be vulnerable to malicious file upload by not validating the type of file in the File Manager T1 process. Attackers can make use of this weakness and upload malicious executable files into the system that can be sent to victims for performing further attacks. CWE:CWE-434: Unrestricted Upload of File with Dangerous Type CVSS Source: IBM X-Force CVSS Base score: 8 CVSS Vector:(CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H) CVEID:CVE-2024-38809 DESCRIPTION: VMware Tanzu Spring Framework is vulnerable to a denial of service, caused by improper input validation. By sending a specially crafted HTTP request containing ETags from "If-Match" or "If-None-Match" request headers, a remote attacker could exploit this vulnerability to cause a denial of service condition. CWE:CWE-1333: Inefficient Regular Expression Complexity CVSS Source: IBM X-Force CVSS Base…Read More