Authorization bypass through user-controlled key in IBM InfoSphere Information Server

#VU94667 Authorization bypass through user-controlled key in IBM InfoSphere Information Server

Published: 2024-07-23

Vulnerability identifier: #VU94667

Vulnerability risk: Low

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-31898

CWE-ID: CWE-639

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
IBM InfoSphere Information Server
Server applications / Database software

Vendor:

Description

The vulnerability allows a remote user to gain access to bypass authentication process or modify data on the system.

The vulnerability exists due to insecure direct object references. An authenticated user can exploit this vulnerability to read or modify sensitive information by bypassing authentication using insecure direct object references.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

External links
http://www.ibm.com/support/pages/node/7158425
http://exchange.xforce.ibmcloud.com/vulnerabilities/288182

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Authorization bypass through user-controlled key in IBM InfoSphere Information Server