Summary There are vulnerabilities in IBM® Websphere Application Server Liberty and Open-Source Software (OSS) components used by IBM Controller. Additionally, IBM Controller is vulnerable to Client-Side Desync (CSD) (CVE-2022-39163). Please refer to the table in the Related Information section for vulnerability impact. This Security Bulletin relates only to the direct usage of third-party components by IBM Controller and not any nested dependencies within the product. Vulnerability Details CVEID:CVE-2024-45296 DESCRIPTION: path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0. CWE:CWE-1333: Inefficient Regular Expression Complexity CVSS Source: CVE.org CVSS Base score: 7.5 CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID:CVE-2024-40094 DESCRIPTION: GraphQL Java (aka graphql-java) is vulnerable to a denial of service, caused by the failure to properly consider ExecutableNormalizedFields (ENFs) as part of preventing denial of service. By using introspection queries, a remote…Read More