fkie_nvd - fkie_cve-2024-49348

fkie_cve-2024-49348

Vulnerability from fkie_nvd

Published

2025-02-05 12:15

Modified

2025-08-12 16:36

Severity ?

4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Summary

IBM Cloud Pak for Business Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, and 22.0.2 allows restricting access to organizational data to valid contexts. The fact that tasks of type comment can be reassigned via API implicitly grants access to user queries in an unexpected context.

References

▶	URL	Tags
	psirt@us.ibm.com	https://www.ibm.com/support/pages/node/7182403	Vendor Advisory

Impacted products

Vendor	Product	Version
ibm	cloud_pak_for_business_automation	18.0.0
ibm	cloud_pak_for_business_automation	18.0.1
ibm	cloud_pak_for_business_automation	18.0.2
ibm	cloud_pak_for_business_automation	19.0.1
ibm	cloud_pak_for_business_automation	19.0.2
ibm	cloud_pak_for_business_automation	19.0.3
ibm	cloud_pak_for_business_automation	20.0.1
ibm	cloud_pak_for_business_automation	20.0.2
ibm	cloud_pak_for_business_automation	20.0.3
ibm	cloud_pak_for_business_automation	21.0.1
ibm	cloud_pak_for_business_automation	21.0.2
ibm	cloud_pak_for_business_automation	21.0.3
ibm	cloud_pak_for_business_automation	22.0.1
ibm	cloud_pak_for_business_automation	22.0.2

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:ibm:cloud_pak_for_business_automation:18.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "5D419EF8-4D41-4FBE-A41B-9F9EAF7F72EE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:cloud_pak_for_business_automation:18.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "C27956AA-CCEE-4073-A8D7-D1B9575EE25C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:cloud_pak_for_business_automation:18.0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "12A70646-ADD3-4CF7-A591-8BE96FBEF5A9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:cloud_pak_for_business_automation:19.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "DF6CB2C4-800F-487A-B0E5-8A0A9718549D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:cloud_pak_for_business_automation:19.0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "D52711AA-0F11-47E7-8EE8-6B8D65403F8A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:cloud_pak_for_business_automation:19.0.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "CE2C6F84-C83F-4AE1-B0A7-740568F52C04",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:cloud_pak_for_business_automation:20.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "CC8A641D-B7AB-41FA-AFDB-2C8EBDA6A1A7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:cloud_pak_for_business_automation:20.0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "250AC4D5-1D25-4EEE-B1CA-AA8E104BBF7B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:cloud_pak_for_business_automation:20.0.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "6C5B7FA4-A27C-40CA-AA53-183909D18C13",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.1:-:*:*:*:*:*:*",
              "matchCriteriaId": "AF7E2601-47E6-4111-9DE0-C3C01705884A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.2:-:*:*:*:*:*:*",
              "matchCriteriaId": "BA799229-3577-409F-BFCC-0ABA541EA710",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.3:-:*:*:*:*:*:*",
              "matchCriteriaId": "A8D6EB68-3804-494D-B12A-2E96E31D1B1A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:cloud_pak_for_business_automation:22.0.1:-:*:*:*:*:*:*",
              "matchCriteriaId": "F22E2017-86A6-4CD1-8192-7A5DF0A1D818",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:cloud_pak_for_business_automation:22.0.2:-:*:*:*:*:*:*",
              "matchCriteriaId": "517C5EDE-5104-4E22-B9C6-64DFBA7650C3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "IBM Cloud Pak for Business Automation\u00a018.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, and 22.0.2 \n\n\n\nallows restricting access to organizational data to valid contexts. The fact that tasks of type comment can be reassigned via API implicitly grants access to user queries in an unexpected context."
    },
    {
      "lang": "es",
      "value": "IBM Cloud Pak for Business Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1 y 22.0.2 permiten restringir el acceso a los datos de la organizaci\u00f3n a contextos v\u00e1lidos. El hecho de que las tareas de tipo comentario se puedan reasignar a trav\u00e9s de la API otorga impl\u00edcitamente acceso a las consultas de los usuarios en un contexto inesperado."
    }
  ],
  "id": "CVE-2024-49348",
  "lastModified": "2025-08-12T16:36:42.023",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4,
        "source": "psirt@us.ibm.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2025-02-05T12:15:28.570",
  "references": [
    {
      "source": "psirt@us.ibm.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.ibm.com/support/pages/node/7182403"
    }
  ],
  "sourceIdentifier": "psirt@us.ibm.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-266"
        }
      ],
      "source": "psirt@us.ibm.com",
      "type": "Secondary"
    }
  ]
}

CVE-2024-49348 (GCVE-0-2024-49348)

Vulnerability from cvelistv5

Published

2025-02-05 11:30

Modified

2025-02-22 21:00

Severity ?

4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE

CWE-266 - Incorrect Privilege Assignment

Summary

References

►

URL

Tags

https://www.ibm.com/support/pages/node/7182403