CVE-2025-36023 (GCVE-0-2025-36023)
Vulnerability from cvelistv5
Published
2025-08-08 14:51
Modified
2025-08-08 15:07
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Summary
IBM Cloud Pak for Business Automation 24.0.0 through 24.0.0 IF005 and 24.0.1 through 24.0.1 IF002 could allow an authenticated user to view sensitive user and system information due to an indirect object reference through a user-controlled key.
References
| ► | URL | Tags | |||||
|---|---|---|---|---|---|---|---|
|
|||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | Cloud Pak for Business Automation |
Version: 24.0.0 ≤ 24.0.0 IF005 Version: 24.0.1 ≤ 24.0.1 IF002 cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:ifix5:*:*:*:*:*:* cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.1:*:*:*:*:*:*:* cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.1:ifix2:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36023",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-08T15:07:06.250680Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-08T15:07:16.477Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:ifix5:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.1:ifix2:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Cloud Pak for Business Automation",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "24.0.0 IF005",
"status": "affected",
"version": "24.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "24.0.1 IF002",
"status": "affected",
"version": "24.0.1",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Cloud Pak for Business Automation 24.0.0 through 24.0.0 IF005 and 24.0.1 through 24.0.1 IF002 could allow an authenticated user to view sensitive user and system information due to an indirect object reference through a user-controlled key."
}
],
"value": "IBM Cloud Pak for Business Automation 24.0.0 through 24.0.0 IF005 and 24.0.1 through 24.0.1 IF002 could allow an authenticated user to view sensitive user and system information due to an indirect object reference through a user-controlled key."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-08T14:51:12.631Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7241570"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Affected Product(s) Version(s) Remediation / Fix\u003cbr\u003eIBM Cloud Pak for Business Automation V24.0.1 - V24.0.1-IF002 Apply security fix 24.0.1-IF004 or upgrade to V25.0.0\u003cbr\u003eIBM Cloud Pak for Business Automation V24.0.0 - V24.0.0-IF005 Upgrade and apply security fix 24.0.0-IF006 or upgrade to 24.0.1-IF004 or upgrade to V25.0.0\u003cbr\u003eIBM Cloud Pak for Business Automation earlier unsupported releases Upgrade to 24.0.0-IF006 or upgrade to 24.0.1-IF004 or upgrade to V25.0.0\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Affected Product(s) Version(s) Remediation / Fix\nIBM Cloud Pak for Business Automation V24.0.1 - V24.0.1-IF002 Apply security fix 24.0.1-IF004 or upgrade to V25.0.0\nIBM Cloud Pak for Business Automation V24.0.0 - V24.0.0-IF005 Upgrade and apply security fix 24.0.0-IF006 or upgrade to 24.0.1-IF004 or upgrade to V25.0.0\nIBM Cloud Pak for Business Automation earlier unsupported releases Upgrade to 24.0.0-IF006 or upgrade to 24.0.1-IF004 or upgrade to V25.0.0"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Cloud Pak for Business Automation security bypass",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36023",
"datePublished": "2025-08-08T14:51:12.631Z",
"dateReserved": "2025-04-15T21:16:08.835Z",
"dateUpdated": "2025-08-08T15:07:16.477Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-36023\",\"sourceIdentifier\":\"psirt@us.ibm.com\",\"published\":\"2025-08-08T15:15:28.087\",\"lastModified\":\"2025-08-15T18:19:48.543\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"IBM Cloud Pak for Business Automation 24.0.0 through 24.0.0 IF005 and 24.0.1 through 24.0.1 IF002 could allow an authenticated user to view sensitive user and system information due to an indirect object reference through a user-controlled key.\"},{\"lang\":\"es\",\"value\":\"IBM Cloud Pak for Business Automation 24.0.0 a 24.0.0 IF005 y 24.0.1 a 24.0.1 IF002 podr\u00edan permitir que un usuario autenticado vea informaci\u00f3n confidencial del usuario y del sistema debido a una referencia de objeto indirecta a trav\u00e9s de una clave controlada por el usuario.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"psirt@us.ibm.com\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"psirt@us.ibm.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-639\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"EF879B84-21B0-4FD4-AD2E-7F29EBDD218A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:interim_fix_001:*:*:*:*:*:*\",\"matchCriteriaId\":\"496D1A48-3403-471F-AD07-AEC7E5000AD8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:interim_fix_004:*:*:*:*:*:*\",\"matchCriteriaId\":\"D1810412-5987-4F53-A81E-096A4F0187B5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:interim_fix_005:*:*:*:*:*:*\",\"matchCriteriaId\":\"9CC01202-3D62-4544-BE9C-47300063896E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.1:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"F68528C5-034B-4B2C-8745-B969B14B52C5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.1:interim_fix_001:*:*:*:*:*:*\",\"matchCriteriaId\":\"EADE80E3-4E60-4154-A559-93E2325D799A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.1:interim_fix_002:*:*:*:*:*:*\",\"matchCriteriaId\":\"D01FC35C-29F1-4D57-8804-07A5C1E9EA85\"}]}]}],\"references\":[{\"url\":\"https://www.ibm.com/support/pages/node/7241570\",\"source\":\"psirt@us.ibm.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-36023\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-08-08T15:07:06.250680Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-08-08T15:07:09.436Z\"}}], \"cna\": {\"title\": \"IBM Cloud Pak for Business Automation security bypass\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:*:*:*:*:*:*:*\", \"cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:ifix5:*:*:*:*:*:*\", \"cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.1:*:*:*:*:*:*:*\", \"cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.1:ifix2:*:*:*:*:*:*\"], \"vendor\": \"IBM\", \"product\": \"Cloud Pak for Business Automation\", \"versions\": [{\"status\": \"affected\", \"version\": \"24.0.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"24.0.0 IF005\"}, {\"status\": \"affected\", \"version\": \"24.0.1\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"24.0.1 IF002\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Affected Product(s) Version(s) Remediation / Fix\\nIBM Cloud Pak for Business Automation V24.0.1 - V24.0.1-IF002 Apply security fix 24.0.1-IF004 or upgrade to V25.0.0\\nIBM Cloud Pak for Business Automation V24.0.0 - V24.0.0-IF005 Upgrade and apply security fix 24.0.0-IF006 or upgrade to 24.0.1-IF004 or upgrade to V25.0.0\\nIBM Cloud Pak for Business Automation earlier unsupported releases Upgrade to 24.0.0-IF006 or upgrade to 24.0.1-IF004 or upgrade to V25.0.0\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Affected Product(s) Version(s) Remediation / Fix\u003cbr\u003eIBM Cloud Pak for Business Automation V24.0.1 - V24.0.1-IF002 Apply security fix 24.0.1-IF004 or upgrade to V25.0.0\u003cbr\u003eIBM Cloud Pak for Business Automation V24.0.0 - V24.0.0-IF005 Upgrade and apply security fix 24.0.0-IF006 or upgrade to 24.0.1-IF004 or upgrade to V25.0.0\u003cbr\u003eIBM Cloud Pak for Business Automation earlier unsupported releases Upgrade to 24.0.0-IF006 or upgrade to 24.0.1-IF004 or upgrade to V25.0.0\u003cbr\u003e\u003cbr\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://www.ibm.com/support/pages/node/7241570\", \"tags\": [\"vendor-advisory\", \"patch\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"IBM Cloud Pak for Business Automation 24.0.0 through 24.0.0 IF005 and 24.0.1 through 24.0.1 IF002 could allow an authenticated user to view sensitive user and system information due to an indirect object reference through a user-controlled key.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"IBM Cloud Pak for Business Automation 24.0.0 through 24.0.0 IF005 and 24.0.1 through 24.0.1 IF002 could allow an authenticated user to view sensitive user and system information due to an indirect object reference through a user-controlled key.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-639\", \"description\": \"CWE-639 Authorization Bypass Through User-Controlled Key\"}]}], \"providerMetadata\": {\"orgId\": \"9a959283-ebb5-44b6-b705-dcc2bbced522\", \"shortName\": \"ibm\", \"dateUpdated\": \"2025-08-08T14:51:12.631Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-36023\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-08-08T15:07:16.477Z\", \"dateReserved\": \"2025-04-15T21:16:08.835Z\", \"assignerOrgId\": \"9a959283-ebb5-44b6-b705-dcc2bbced522\", \"datePublished\": \"2025-08-08T14:51:12.631Z\", \"assignerShortName\": \"ibm\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…