CVE-2024-41766
Published: 04 January 2025
Summary
CVE-2024-41766 is a high-severity Inefficient Regular Expression Complexity (CWE-1333) vulnerability in Ibm Engineering Lifecycle Optimization Publishing. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 30.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2024-41766 is a denial-of-service vulnerability affecting IBM Engineering Lifecycle Optimization - Publishing versions 7.0.2 and 7.0.3. The flaw, classified under CWE-1333, arises from the use of a complex regular expression that can be exploited to consume excessive resources, leading to service disruption. It has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity due to its potential for significant availability impact without requiring authentication or user interaction.
A remote attacker can exploit this vulnerability over the network with low complexity and no privileges by sending a specially crafted request containing a complex regular expression. Successful exploitation results in a denial of service, potentially crashing the affected service or rendering it unresponsive, though it does not enable data exfiltration, modification, or privilege escalation.
IBM has published a security advisory at https://www.ibm.com/support/pages/node/7180203 providing details on the vulnerability and available patches or workarounds for mitigation. Security practitioners should review the advisory for version-specific remediation steps to protect affected deployments.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-38903
Vulnerability details
IBM Engineering Lifecycle Optimization - Publishing 7.0.2 and 7.0.3 could allow a remote attacker to cause a denial of service using a complex regular expression.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
ReDoS vulnerability in public-facing app directly enables application-layer DoS via crafted input (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the CVE by requiring timely remediation of the known ReDoS flaw through patching as advised by IBM.
Provides comprehensive protection against denial-of-service attacks like resource exhaustion from complex regular expressions.
Enforces validation of inputs to block specially crafted complex regular expressions that trigger excessive resource consumption.