Sensitive Information Disclosure in IBM MQ Operator Configured with Keycloak
CVE-2025-1333

6MEDIUM

Key Information:

Vendor: IBM
Status: MQ Operator
Vendor: CVE Published:; 1 May 2025

Summary

Certain configurations of the IBM MQ Operator when utilized with Keycloak in the Cloud Pak for Integration may inadvertently disclose sensitive information to users with elevated privileges. This situation arises from the use of versions ranging from LTS 2.0.0 to 2.0.29 and various iterations of the CD and SC2 releases. Users are advised to assess their configurations and implement mitigations as necessary to safeguard sensitive data.

Affected Version(s)

MQ Operator 2.0.0 LTS <= 2.0.29 LTS

MQ Operator 3.0.0, 3.0.1, 3.1.0, 3.1.3, 3.4.0, 3.5.0, 3.5.1 CD

MQ Operator 3.2.0 SC2 <= 3.2.10 SC2

References

https://www.ibm.com/support/pages/node/7232272

vendor-advisory

CVSS V3.1

Score:

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
May 1, 2025
Vulnerability Reserved
Feb 15, 2025