Summary There are vulnerabilities in Open-Source Software (OSS) components consumed by IBM Cognos Dashboards on Cloud Pak for Data. Please refer to the Related Information section below for vulnerability impact. This Security Bulletin relates only to the direct usage of third-party components by IBM Cognos Dashboards on Cloud Pak for Data and not any nested dependencies within the product. Vulnerability Details CVEID:CVE-2024-2398 DESCRIPTION: cURL libcurl is vulnerable to a denial of service, caused by a memory leak when allowing HTTP/2 server push. By sending a specially crafted PUSH_PROMISE frames with an excessive amount of headers, a remote attacker could exploit this vulnerability to cause a denial of service condition. CWE:CWE-401: Missing Release of Memory after Effective Lifetime CVSS Source: IBM X-Force CVSS Base score: 5.3 CVSS Vector:(CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) CVEID:CVE-2024-7264 DESCRIPTION: cURL libcurl could allow a local attacker to obtain sensitive information, caused by an out-of-bounds read flaw in the the GTime2str() function. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information or cause the application to crash. CWE:CWE-125: Out-of-bounds Read CVSS Source: IBM X-Force CVSS Base score: 3.6 CVSS Vector:(CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:L) CVEID:CVE-2024-25638 DESCRIPTION: dnsjava could allow a remote attacker to bypass security restrictions, caused by…Read More