CVE-2025-36005 — Improper Certificate Validation in IBM MQ Operator

CWE-295 — Improper Certificate Validation3 documents3 sources

Severity

6.5MEDIUMNVD

CNA5.9

EPSS

0.0%

top 92.03%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

IBM MQ Operator IBM Supplied MQ Advanced Container Images

Timeline

PublishedJul 24

Latest updateJul 25

Description

IBM MQ Operator LTS 2.0.0 through 2.0.29, MQ Operator CD 3.0.0, 3.0.1, 3.1.0 through 3.1.3, 3.3.0, 3.4.0, 3.4.1, 3.5.0, 3.5.1, 3.6.0, and MQ Operator SC2 3.2.0 through 3.2.13 Internet Pass-Thru could allow a malicious user to obtain sensitive information from another TLS session connection by the proxy to the same hostname and port due to improper certificate validation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶CVEListV5ibm/mq_operator2.0.0 LTS — 2.0.29 LTS+2

▶NVDibm/mq_operator2.0.0 — 2.0.29+6

▶NVDibm/supplied_mq_advanced_container_images25 versions+24

🔴Vulnerability Details

GHSA

GHSA-vx28-r268-g868: IBM MQ Operator LTS 2↗2025-07-25

▶

CVEList

IBM MQ Operator information disclosure↗2025-07-24

▶