CVE-2024-41766

High

Published: 04 January 2025

Published

04 January 2025

Modified

21 March 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0012 30.3th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-41766 is a high-severity Inefficient Regular Expression Complexity (CWE-1333) vulnerability in Ibm Engineering Lifecycle Optimization Publishing. Its CVSS base score is 7.5 (High).

Operationally, ranked at the 30.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the CVE by requiring timely remediation of the known ReDoS flaw through patching as advised by IBM.

SC-5 Denial-of-service Protection good match

prevent

Provides comprehensive protection against denial-of-service attacks like resource exhaustion from complex regular expressions.

SI-10 Information Input Validation good match

prevent

Enforces validation of inputs to block specially crafted complex regular expressions that trigger excessive resource consumption.

NVD Description

IBM Engineering Lifecycle Optimization - Publishing 7.0.2 and 7.0.3 could allow a remote attacker to cause a denial of service using a complex regular expression.

Deeper analysisAI

CVE-2024-41766 is a denial-of-service vulnerability affecting IBM Engineering Lifecycle Optimization - Publishing versions 7.0.2 and 7.0.3. The flaw, classified under CWE-1333, arises from the use of a complex regular expression that can be exploited to consume excessive resources, leading to service disruption. It has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity due to its potential for significant availability impact without requiring authentication or user interaction.

A remote attacker can exploit this vulnerability over the network with low complexity and no privileges by sending a specially crafted request containing a complex regular expression. Successful exploitation results in a denial of service, potentially crashing the affected service or rendering it unresponsive, though it does not enable data exfiltration, modification, or privilege escalation.

IBM has published a security advisory at https://www.ibm.com/support/pages/node/7180203 providing details on the vulnerability and available patches or workarounds for mitigation. Security practitioners should review the advisory for version-specific remediation steps to protect affected deployments.

Details

CWE(s): CWE-1333

Affected Products

ibm

engineering lifecycle optimization publishing

7.0.2, 7.0.3

CVEs Like This One

CVE-2024-41767Same product: Ibm Engineering Lifecycle Optimization Publishing

CVE-2024-41763Same product: Ibm Engineering Lifecycle Optimization Publishing

CVE-2024-49779Same product: Linux Linux Kernel

CVE-2024-49781Same product: Linux Linux Kernel

CVE-2025-13916Same product: Linux Linux Kernel

CVE-2024-49782Same product: Linux Linux Kernel

CVE-2024-54171Same product: Linux Linux Kernel

CVE-2025-36258Same product: Linux Linux Kernel

CVE-2025-13855Same product: Linux Linux Kernel

CVE-2024-7577Same product: Linux Linux Kernel

References

https://www.ibm.com/support/pages/node/7180203
Vendor Advisory · psirt@us.ibm.com