CVE-2024-49348

CWE-2663 documents3 sources

Severity

6.5MEDIUM

EPSS

0.1%

top 78.70%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

IBM Cloud PAK FOR Business Automation

Timeline

PublishedFeb 5

Description

IBM Cloud Pak for Business Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, and 22.0.2 allows restricting access to organizational data to valid contexts. The fact that tasks of type comment can be reassigned via API implicitly grants access to user queries in an unexpected context.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5ibm/cloud_pak_for_business_automation18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, 22.0.2

▶NVDibm/cloud_pak14 versions+13

🔴Vulnerability Details

GHSA

GHSA-v3q6-3rrv-r75p: IBM Cloud Pak for Business Automation 18↗2025-02-05

▶

CVEList

IBM Cloud Pak for Business Automation incorrect privilege assignment↗2025-02-05

▶