CVE-2025-36023

CWE-639 — Insecure Direct Object Reference CWE-476 — NULL Pointer Dereference4 documents4 sources

Severity

6.5MEDIUM

EPSS

0.0%

top 89.19%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

IBM Cloud PAK FOR Business Automation

Timeline

PublishedAug 8

Description

IBM Cloud Pak for Business Automation 24.0.0 through 24.0.0 IF005 and 24.0.1 through 24.0.1 IF002 could allow an authenticated user to view sensitive user and system information due to an indirect object reference through a user-controlled key.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5ibm/cloud_pak_for_business_automation24.0.0 — 24.0.0 IF005+1

▶NVDibm/cloud_pak24.0.0, 24.0.1+1

🔴Vulnerability Details

GHSA

GHSA-9fwv-9wqg-4pm8: IBM Cloud Pak for Business Automation 24↗2025-08-08

▶

CVEList

IBM Cloud Pak for Business Automation security bypass↗2025-08-08

▶

📋Vendor Advisories

Microsoft

Julia Lawall reported this null pointer dereference this should fix it.↗2024-05-14

▶