Florian Grunow

**Name of the Vulnerable Software and Affected Versions** CycloneDX BOM Repository Server versions prior to 2.0.1 **Description** The CycloneDX BOM Repository Server has an improper input validation issue leading to path traversal. This could allow a malicious user to create arbitrary directories or cause a denial of service by deleting arbitrary directories. The issue is not exploitable if the post and delete methods are disabled, which is the default configuration. This can be achieved by modifying the `appsettings.json` file or by setting the environment variables `ALLOWEDMETHODS POST` and `ALLOWEDMETHODS DELETE` to `false`. **Recommendations** For CycloneDX BOM Repository Server versions prior to 2.0.1, update to version 2.0.1 to resolve the issue. As a temporary workaround, consider modifying the `appsettings.json` file to disable the post and delete methods, or set the environment variables `ALLOWEDMETHODS POST` and `ALLOWEDMETHODS DELETE` to `false` to prevent exploitation.

**Name of the Vulnerable Software and Affected Versions** SquirrelMail version 1.4.22 **Description** A directory traversal flaw allows an authenticated attacker to exfiltrate or potentially delete files from the hosting server. This issue is related to the use of ../ in the `att local name` field in Deliver.class.php. **Recommendations** For SquirrelMail version 1.4.22, consider restricting access to the Deliver.class.php file or disabling the functionality related to the `att local name` field until a patch is available. Avoid using the `att local name` field in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** IBM General Parallel File System (GPFS) versions 3.4 before 3.4.0.32 IBM General Parallel File System (GPFS) versions 3.5 before 3.5.0.24 IBM General Parallel File System (GPFS) versions 4.1 before 4.1.0.7 **Description** The issue is related to insufficient authentication of network packets when the cipherList configuration parameter is set. This can be exploited by a remote attacker to execute applications with administrator privileges. **Recommendations** For IBM General Parallel File System (GPFS) versions 3.4 before 3.4.0.32, update to version 3.4.0.32 or later. For IBM General Parallel File System (GPFS) versions 3.5 before 3.5.0.24, update to version 3.5.0.24 or later. For IBM General Parallel File System (GPFS) versions 4.1 before 4.1.0.7, update to version 4.1.0.7 or later.

**Name of the Vulnerable Software and Affected Versions** IBM General Parallel File System (GPFS) versions 3.4 through 3.4.0.27 IBM General Parallel File System (GPFS) versions 3.5 through 3.5.0.16 **Description** The issue allows attackers to cause a denial of service, resulting in a daemon crash, by providing crafted arguments to a setuid program. **Recommendations** For IBM General Parallel File System (GPFS) versions 3.4 through 3.4.0.27, update to a version later than 3.4.0.27 to resolve the issue. For IBM General Parallel File System (GPFS) versions 3.5 through 3.5.0.16, update to a version later than 3.5.0.16 to resolve the issue.