Insufficient session expiration in IBM Watson Query (Data Virtualization) on Cloud Pak for Data
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2024-35160 |
| CWE-ID | CWE-613 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Watson Query with Cloud Pak for Data as a Service Other software / Other software solutions Db2 Big SQL Other software / Other software solutions |
| Vendor | IBM Corporation |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Insufficient Session Expiration
EUVDB-ID: #VU101083
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-35160
CWE-ID:
CWE-613 - Insufficient Session Expiration
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to insufficient session expiration issue. A remote non-authenticated attacker can obtain or guess session token and gain unauthorized access to session that belongs to another user.
MitigationInstall update from vendor's website.
Vulnerable software versionsWatson Query with Cloud Pak for Data as a Service: 1.8 - 2.2
Db2 Big SQL: before 7.7.0
CPE2.3- cpe:2.3:a:ibm_corporation:watson_query_with_cloud_pak_for_data_as_a_service:1.8:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:watson_query_with_cloud_pak_for_data_as_a_service:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:watson_query_with_cloud_pak_for_data_as_a_service:2.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:db2_big_sql:*:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7168703
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
