#VU97306 Incorrect Privilege Assignment in IBM MQ Operator - CVE-2024-40681

Cybersecurity Help s.r.o.

Published: 2024-09-16

Vulnerability identifier: #VU97306

Vulnerability risk: Low

CVSSv4.0: 5.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-40681

CWE-ID: CWE-266

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
IBM MQ Operator
Server applications / Other server solutions

Vendor: IBM Corporation

Description

The vulnerability allows a remote user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions. An authenticated user in a specifically defined role can bypass security restrictions and execute actions against the queue manager.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

IBM MQ Operator: 2.0.26 - 3.2.4

External links
https://www.ibm.com/support/pages/node/7167732
https://exchange.xforce.ibmcloud.com/vulnerabilities/297611

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Robotic Process Automation for Cloud Pak

Multiple vulnerabilities in IBM WebSphere Remote Server

Incorrect privilege assignment in IBM MQ Appliance

Incorrect privilege assignment in IBM MQ

Multiple vulnerabilities in IBM MQ Operator and Queue manager container images