CVE-2024-38324Improper Validation of Certificate with Host Mismatch in IBM Storage Defender

CWE-297Improper Validation of Certificate with Host MismatchCWE-295Improper Certificate Validation3 documents3 sources
Severity
6.5MEDIUMNVD
CNA5.9
EPSS
0.1%
top 77.64%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
IBM Storage DefenderIBM Storage Defender Resiliency Service
Timeline
PublishedSep 25

Description

IBM Storage Defender 2.0.0 through 2.0.7 on-prem defender-sensor-cmd CLI does not validate server name during registration and unregistration operations which could expose sensitive information to an attacker with access to the system.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

NVDibm/storage_defender2.0.02.0.8
CVEListV5ibm/storage_defender_resiliency_service2.0.02.0.7

🔴Vulnerability Details

2
GHSA
GHSA-h8vm-65gc-gw46: IBM Storage Defender 22024-09-25
CVEList
IBM Storage Defender improper certificate validation2024-09-24
CVE-2024-38324 — IBM Storage Defender vulnerability | cvebase