csaf_certbund - wid-sec-w-2025-0254

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "IBM Security Verify Access, ehemals IBM Security Access Manager (ISAM), ist eine Zugriffsverwaltungsl\u00f6sung.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein anonymer oder lokaler Angreifer kann mehrere Schwachstellen in IBM Security Verify Access ausnutzen, um Informationen preiszugeben, erh\u00f6hte Rechte zu erlangen, Sicherheitsma\u00dfnahmen zu umgehen und einen Cross-Site-Scripting-Angriff durchzuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Sonstiges\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2025-0254 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-0254.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2025-0254 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-0254"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin vom 2025-02-03",
        "url": "https://www.ibm.com/support/pages/node/7182386"
      }
    ],
    "source_lang": "en-US",
    "title": "IBM Security Verify Access: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2025-02-03T23:00:00.000+00:00",
      "generator": {
        "date": "2025-02-04T11:15:01.599+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.10"
        }
      },
      "id": "WID-SEC-W-2025-0254",
      "initial_release_date": "2025-02-03T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2025-02-03T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c10.0.9",
                "product": {
                  "name": "IBM Security Verify Access \u003c10.0.9",
                  "product_id": "T040755"
                }
              },
              {
                "category": "product_version",
                "name": "10.0.9",
                "product": {
                  "name": "IBM Security Verify Access 10.0.9",
                  "product_id": "T040755-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:security_verify_access:10.0.9"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c11.0",
                "product": {
                  "name": "IBM Security Verify Access \u003c11.0",
                  "product_id": "T040756"
                }
              },
              {
                "category": "product_version",
                "name": "11",
                "product": {
                  "name": "IBM Security Verify Access 11.0",
                  "product_id": "T040756-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:security_verify_access:11.0"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Security Verify Access"
          }
        ],
        "category": "vendor",
        "name": "IBM"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-45658",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Aufgrund einer unsachgem\u00e4\u00dfen Behandlung von Fehlermeldungen werden detaillierte technische Fehlermeldungen ausgegeben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen und f\u00fcr weitere Angriffe zu verwenden."
        }
      ],
      "product_status": {
        "known_affected": [
          "T040756",
          "T040755"
        ]
      },
      "release_date": "2025-02-03T23:00:00.000+00:00",
      "title": "CVE-2024-45658"
    },
    {
      "cve": "CVE-2024-45659",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Aufgrund einer unsachgem\u00e4\u00dfen Behandlung von Fehlermeldungen werden detaillierte technische Fehlermeldungen ausgegeben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen und f\u00fcr weitere Angriffe zu verwenden."
        }
      ],
      "product_status": {
        "known_affected": [
          "T040756",
          "T040755"
        ]
      },
      "release_date": "2025-02-03T23:00:00.000+00:00",
      "title": "CVE-2024-45659"
    },
    {
      "cve": "CVE-2024-40700",
      "notes": [
        {
          "category": "description",
          "text": "In IBM Security Verify Access existiert eine Cross-Site Scripting Schwachstelle. HTML und Script-Eingaben werden in der Web-UI nicht ordnungsgem\u00e4\u00df \u00fcberpr\u00fcft, bevor sie an den Benutzer zur\u00fcckgegeben werden. Ein entfernter, anonymer Angreifer kann durch Ausnutzung dieser Schwachstelle beliebigen HTML- und Script-Code durch den Browser des Benutzers im Kontext der betroffenen Seite ausf\u00fchren und eventuell Anmeldedaten preiszugeben. Zur erfolgreichen Ausnutzung ist eine Benutzeraktion erforderlich."
        }
      ],
      "product_status": {
        "known_affected": [
          "T040756",
          "T040755"
        ]
      },
      "release_date": "2025-02-03T23:00:00.000+00:00",
      "title": "CVE-2024-40700"
    },
    {
      "cve": "CVE-2024-43187",
      "notes": [
        {
          "category": "description",
          "text": "Es besteht eine Schwachstelle in IBM Security Verify Access. Die fehlende Verschl\u00fcsselung der Kommunikationskan\u00e4le f\u00fchrt dazu, dass sensible oder sicherheitskritische Daten im Klartext \u00fcbertragen werden. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um vertrauliche Informationen offenzulegen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T040756",
          "T040755"
        ]
      },
      "release_date": "2025-02-03T23:00:00.000+00:00",
      "title": "CVE-2024-43187"
    },
    {
      "cve": "CVE-2024-45657",
      "notes": [
        {
          "category": "description",
          "text": "Es besteht eine Schwachstelle in IBM Security Verify Access aufgrund einer unsachgem\u00e4\u00dfen Zuweisung von Berechtigungen. Ein lokaler Angreifer mit bestimmten Privilegien kann diese Schwachstelle ausnutzen, um h\u00f6here Privilegien zu erlangen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T040756",
          "T040755"
        ]
      },
      "release_date": "2025-02-03T23:00:00.000+00:00",
      "title": "CVE-2024-45657"
    },
    {
      "cve": "CVE-2024-35138",
      "notes": [
        {
          "category": "description",
          "text": "Es besteht eine Schwachstelle in IBM Security Verify Access. Fehlende CSRF-Schutzmechanismen erm\u00f6glichen einen Cross-Site-Request-Fgery-Angriff. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen und nicht autorisierte Aktionen im Namen eines vertrauensw\u00fcrdigen Benutzers durchzuf\u00fchren. Eine erfolgreiche Ausnutzung erfordert eine Benutzerinteraktion."
        }
      ],
      "product_status": {
        "known_affected": [
          "T040756",
          "T040755"
        ]
      },
      "release_date": "2025-02-03T23:00:00.000+00:00",
      "title": "CVE-2024-35138"
    }
  ]
}

CVE-2024-43187 (GCVE-0-2024-43187)

Vulnerability from cvelistv5

Published

2025-02-04 20:37

Modified

2025-02-22 20:57

Severity ?

5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-319 - Cleartext Transmission of Sensitive Information

Summary

IBM Security Verify Access Appliance and Container 10.0.0 through 10.0.8 transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

References

►

URL

Tags

vendor-advisory

Impacted products

Vendor

Product

Version

►

Version: 10.0.0 ≤ 10.0.8

Version: 10.0.0 ≤ 10.0.8

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-43187",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-04T21:06:44.036419Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-04T21:06:50.814Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Security Verify Access Appliance",
          "vendor": "IBM",
          "versions": [
            {
              "lessThanOrEqual": "10.0.8",
              "status": "affected",
              "version": "10.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Security Verify Access Container",
          "vendor": "IBM",
          "versions": [
            {
              "lessThanOrEqual": "10.0.8",
              "status": "affected",
              "version": "10.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "IBM Security Verify Access Appliance and Container 10.0.0 through 10.0.8 transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors."
            }
          ],
          "value": "IBM Security Verify Access Appliance and Container 10.0.0 through 10.0.8 transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-319",
              "description": "CWE-319 Cleartext Transmission of Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-22T20:57:40.762Z",
        "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "shortName": "ibm"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.ibm.com/support/pages/node/7182386"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "IBM Security Verify Access information disclosure",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
    "assignerShortName": "ibm",
    "cveId": "CVE-2024-43187",
    "datePublished": "2025-02-04T20:37:49.166Z",
    "dateReserved": "2024-08-07T13:29:34.029Z",
    "dateUpdated": "2025-02-22T20:57:40.762Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-45658 (GCVE-0-2024-45658)

Vulnerability from cvelistv5

Published

2025-02-04 20:37

Modified

2025-02-22 20:58

Severity ?

2.7 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-209 - Generation of Error Message Containing Sensitive Information

Summary

IBM Security Verify Access Appliance and Container 10.0.0 through 10.0.8 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned. This information could be used in further attacks against the system.

References

►

URL

Tags

vendor-advisory

Impacted products

Vendor

Product

Version

►

Version: 10.0.0 ≤ 10.0.8

Version: 10.0.0 ≤ 10.0.8

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-45658",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-04T21:07:33.327745Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-04T21:07:38.249Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Security Verify Access Appliance",
          "vendor": "IBM",
          "versions": [
            {
              "lessThanOrEqual": "10.0.8",
              "status": "affected",
              "version": "10.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Security Verify Access Container",
          "vendor": "IBM",
          "versions": [
            {
              "lessThanOrEqual": "10.0.8",
              "status": "affected",
              "version": "10.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "IBM Security Verify Access Appliance and Container 10.0.0 through 10.0.8 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned. This information could be used in further attacks against the system."
            }
          ],
          "value": "IBM Security Verify Access Appliance and Container 10.0.0 through 10.0.8 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned. This information could be used in further attacks against the system."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 2.7,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-209",
              "description": "CWE-209 Generation of Error Message Containing Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-22T20:58:47.025Z",
        "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "shortName": "ibm"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.ibm.com/support/pages/node/7182386"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "IBM Security Verify Access information disclosure",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
    "assignerShortName": "ibm",
    "cveId": "CVE-2024-45658",
    "datePublished": "2025-02-04T20:37:13.537Z",
    "dateReserved": "2024-09-03T13:50:34.380Z",
    "dateUpdated": "2025-02-22T20:58:47.025Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-45659 (GCVE-0-2024-45659)

Vulnerability from cvelistv5

Published

2025-02-04 17:34

Modified

2025-02-22 20:59

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-209 - Generation of Error Message Containing Sensitive Information

Summary

References

►

URL

Tags

vendor-advisory

Impacted products

Vendor

Product

Version

►

Version: 10.0.0 ≤ 10.0.8

Version: 10.0.0 ≤ 10.0.8

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-45659",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-04T18:00:47.534187Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-04T18:00:54.648Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Security Verify Access Appliance",
          "vendor": "IBM",
          "versions": [
            {
              "lessThanOrEqual": "10.0.8",
              "status": "affected",
              "version": "10.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Security Verify Access Container",
          "vendor": "IBM",
          "versions": [
            {
              "lessThanOrEqual": "10.0.8",
              "status": "affected",
              "version": "10.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "IBM Security Verify Access Appliance and Container 10.0.0 through 10.0.8 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned. This information could be used in further attacks against the system."
            }
          ],
          "value": "IBM Security Verify Access Appliance and Container 10.0.0 through 10.0.8 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned. This information could be used in further attacks against the system."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-209",
              "description": "CWE-209 Generation of Error Message Containing Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-22T20:59:15.675Z",
        "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "shortName": "ibm"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.ibm.com/support/pages/node/7182386"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "IBM Security Verify Access information disclosure",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
    "assignerShortName": "ibm",
    "cveId": "CVE-2024-45659",
    "datePublished": "2025-02-04T17:34:12.764Z",
    "dateReserved": "2024-09-03T13:50:34.380Z",
    "dateUpdated": "2025-02-22T20:59:15.675Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-45657 (GCVE-0-2024-45657)

Vulnerability from cvelistv5

Published

2025-02-04 20:40

Modified

2025-02-22 20:58

Severity ?

5.0 (Medium) - CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L

CWE

CWE-732 - Incorrect Permission Assignment for Critical Resource

Summary

IBM Security Verify Access Appliance and Container 10.0.0 through 10.0.8 could allow a local privileged user to perform unauthorized actions due to incorrect permissions assignment.

References

►

URL

Tags

vendor-advisory

Impacted products

Vendor

Product

Version

►

Version: 10.0.0 ≤ 10.0.8

Version: 10.0.0 ≤ 10.0.8

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-45657",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-04T21:04:17.195082Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-04T21:04:30.023Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Security Verify Access Appliance",
          "vendor": "IBM",
          "versions": [
            {
              "lessThanOrEqual": "10.0.8",
              "status": "affected",
              "version": "10.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Security Verify Access Container",
          "vendor": "IBM",
          "versions": [
            {
              "lessThanOrEqual": "10.0.8",
              "status": "affected",
              "version": "10.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "IBM Security Verify Access Appliance and Container 10.0.0 through 10.0.8 could allow a local privileged user to perform unauthorized actions due to incorrect permissions assignment."
            }
          ],
          "value": "IBM Security Verify Access Appliance and Container 10.0.0 through 10.0.8 could allow a local privileged user to perform unauthorized actions due to incorrect permissions assignment."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "LOW",
            "baseScore": 5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-732",
              "description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-22T20:58:11.171Z",
        "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "shortName": "ibm"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.ibm.com/support/pages/node/7182386"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "IBM Security Verify Access incorrect privilege assignment",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
    "assignerShortName": "ibm",
    "cveId": "CVE-2024-45657",
    "datePublished": "2025-02-04T20:40:08.652Z",
    "dateReserved": "2024-09-03T13:50:26.296Z",
    "dateUpdated": "2025-02-22T20:58:11.171Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-35138 (GCVE-0-2024-35138)

Vulnerability from cvelistv5

Published

2025-02-04 20:38

Modified

2025-07-24 01:36

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CWE

CWE-352 - Cross-Site Request Forgery (CSRF)

Summary

IBM Security Verify Access Appliance and Container 10.0.0 through 10.0.8 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.

References

►

URL

Tags

vendor-advisory, patch

Impacted products

Vendor

Product

Version

►

Version: 10.0.0 ≤ 10.0.8

Version: 10.0.0 ≤ 10.0.8

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-35138",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-04T21:04:43.659339Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-13T20:13:50.019Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Security Verify Access Appliance",
          "vendor": "IBM",
          "versions": [
            {
              "lessThanOrEqual": "10.0.8",
              "status": "affected",
              "version": "10.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Security Verify Access Container",
          "vendor": "IBM",
          "versions": [
            {
              "lessThanOrEqual": "10.0.8",
              "status": "affected",
              "version": "10.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "IBM Security Verify Access Appliance and Container 10.0.0 through 10.0.8 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts."
            }
          ],
          "value": "IBM Security Verify Access Appliance and Container 10.0.0 through 10.0.8 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-352",
              "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-24T01:36:26.509Z",
        "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "shortName": "ibm"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://www.ibm.com/support/pages/node/7182386"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "IBM Security Verify Access cross-site request forgery",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
    "assignerShortName": "ibm",
    "cveId": "CVE-2024-35138",
    "datePublished": "2025-02-04T20:38:34.306Z",
    "dateReserved": "2024-05-09T16:27:27.133Z",
    "dateUpdated": "2025-07-24T01:36:26.509Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-40700 (GCVE-0-2024-40700)

Vulnerability from cvelistv5

Published

2025-02-04 20:36

Modified

2025-02-22 20:57

Severity ?

6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

Summary

IBM Security Verify Access Appliance and Container 10.0.0 through 10.0.8 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

References

►

URL

Tags

vendor-advisory

Impacted products

Vendor

Product

Version

►

Version: 10.0.0 ≤ 10.0.8

Version: 10.0.0 ≤ 10.0.8

Show details on NVD website