Unauthorized Report Manipulation in BMC Control-M 9.0.20 and 9.0.21
CVE-2024-1604

6.8MEDIUM

Key Information:

Vendor: Bmc
Status: Control-m
Vendor: CVE Published:; 18 March 2024

What is CVE-2024-1604?

Improper authorization in the report management and creation module of BMC Control-M branches 9.0.20 and 9.0.21 allows logged-in users to read and make unauthorized changes to any reports available within the application, even without proper permissions. The attacker must know the unique identifier of the report they want to manipulate.

Fix for 9.0.20 branch was released in version 9.0.20.238. Fix for 9.0.21 branch was released in version 9.0.21.201.

Affected Version(s)

Control-M 9.0.20 < 9.0.20.238

Control-M 9.0.21 < 9.0.21.201

References

https://cert.pl/posts/2024/03/CVE-2024-1604

third-party-advisory

https://cert.pl/en/posts/2024/03/CVE-2024-1604

third-party-advisory

https://www.bmc.com/it-solutions/control-m.html

product

CVSS V3.1

Score:

6.8

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 18, 2024
Vulnerability Reserved
Feb 18, 2024

Credit

Maksymilian Kubiak [Afine Team]

Dawid Małecki [Afine Team]

JSON

Bmc

What is CVE-2024-1604?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit