Access Control Vulnerability in IBM Cloud Pak for Business Automation
CVE-2024-49348

4.3MEDIUM

Key Information:

Vendor: IBM
Status: Cloud Pak For Business Automation
Vendor: CVE Published:; 5 February 2025

Summary

An access control vulnerability in IBM Cloud Pak for Business Automation allows improperly restricted access to organizational data. Specifically, the reassignment of comment tasks through an API inadvertently enables access to user queries in contexts that should be limited, posing a risk for unauthorized data visibility.

Affected Version(s)

Cloud Pak for Business Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, 22.0.2

References

https://www.ibm.com/support/pages/node/7182403

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 5, 2025
Vulnerability Reserved
Oct 14, 2024