Incorrect Privilege Assignment in IBM MQ Operator

#VU97306 Incorrect Privilege Assignment in IBM MQ Operator

Published: 2024-09-16

Vulnerability identifier: #VU97306

Vulnerability risk: Low

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-40681

CWE-ID: CWE-266

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
IBM MQ Operator
Server applications / Other server solutions

Vendor: IBM Corporation

Description

The vulnerability allows a remote user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions. An authenticated user in a specifically defined role can bypass security restrictions and execute actions against the queue manager.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

IBM MQ Operator: 2.0.26 - 3.2.4

External links
http://www.ibm.com/support/pages/node/7167732
http://exchange.xforce.ibmcloud.com/vulnerabilities/297611

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Incorrect privilege assignment in IBM MQ Appliance

Incorrect privilege assignment in IBM MQ

Multiple vulnerabilities in IBM MQ Operator and Queue manager container images