Florian Grunow

**Nome do software vulnerável e versões afetadas** Versões do CycloneDX BOM Repository Server anteriores à 2.0.1 **Descrição** O CycloneDX BOM Repository Server apresenta uma falha na validação de entradas que leva a um problema de traversal de caminho. Isso poderia permitir que um usuário mal-intencionado criasse diretórios arbitrários ou causasse uma negação de serviço ao excluir diretórios arbitrários. A vulnerabilidade não pode ser explorada se os métodos POST e DELETE estiverem desativados, o que é a configuração padrão. Isso pode ser feito modificando o arquivo `appsettings.json` ou definindo as variáveis de ambiente `ALLOWEDMETHODS POST` e `ALLOWEDMETHODS DELETE` como `false`. **Recomendações** Para versões do CycloneDX BOM Repository Server anteriores à 2.0.1, atualize para a versão 2.0.1 para resolver o problema. Como solução alternativa temporária, considere modificar o arquivo `appsettings.json` para desativar os métodos post e delete, ou defina as variáveis de ambiente `ALLOWEDMETHODS POST` e `ALLOWEDMETHODS DELETE` como `false` para impedir a exploração.

**Name of the Vulnerable Software and Affected Versions** SquirrelMail version 1.4.22 **Description** A directory traversal flaw allows an authenticated attacker to exfiltrate or potentially delete files from the hosting server. This issue is related to the use of ../ in the `att local name` field in Deliver.class.php. **Recommendations** For SquirrelMail version 1.4.22, consider restricting access to the Deliver.class.php file or disabling the functionality related to the `att local name` field until a patch is available. Avoid using the `att local name` field in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** IBM General Parallel File System (GPFS) versions 3.4 before 3.4.0.32 IBM General Parallel File System (GPFS) versions 3.5 before 3.5.0.24 IBM General Parallel File System (GPFS) versions 4.1 before 4.1.0.7 **Description** The issue is related to insufficient authentication of network packets when the cipherList configuration parameter is set. This can be exploited by a remote attacker to execute applications with administrator privileges. **Recommendations** For IBM General Parallel File System (GPFS) versions 3.4 before 3.4.0.32, update to version 3.4.0.32 or later. For IBM General Parallel File System (GPFS) versions 3.5 before 3.5.0.24, update to version 3.5.0.24 or later. For IBM General Parallel File System (GPFS) versions 4.1 before 4.1.0.7, update to version 4.1.0.7 or later.

**Name of the Vulnerable Software and Affected Versions** IBM General Parallel File System (GPFS) versions 3.4 through 3.4.0.27 IBM General Parallel File System (GPFS) versions 3.5 through 3.5.0.16 **Description** The issue allows attackers to cause a denial of service, resulting in a daemon crash, by providing crafted arguments to a setuid program. **Recommendations** For IBM General Parallel File System (GPFS) versions 3.4 through 3.4.0.27, update to a version later than 3.4.0.27 to resolve the issue. For IBM General Parallel File System (GPFS) versions 3.5 through 3.5.0.16, update to a version later than 3.5.0.16 to resolve the issue.