CVE-2024-35151

Authentication Bypass Using an Alternate Path or Channel (CWE-288)

Published: Aug 22, 2024 / Updated: 2mo ago

010
CVSS 6.5EPSS 0.04%Medium
CVE info copied to clipboard

Summary

IBM OpenPages with Watson 8.3 and 9.0 could allow authenticated users access to sensitive information through improper authorization controls on APIs.

Impact

This vulnerability allows authenticated users to gain unauthorized access to sensitive information. The attack vector is through the network, with low attack complexity and requires low privileges. While it does not affect the integrity or availability of the system, it has a high impact on confidentiality. The overall base score is 6.5 (Medium severity).

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. IBM has released a security bulletin with mitigation information on August 23, 2024.

Mitigation

1. Update IBM OpenPages with Watson to the latest patched version as soon as possible. 2. Implement strict access controls and regularly audit user permissions. 3. Monitor and log API access attempts, especially those involving sensitive information. 4. Consider implementing additional authentication layers for critical functions. 5. Regularly review and update authorization controls on APIs.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Timeline

First Article

Feedly found the first article mentioning CVE-2024-35151. See article

Aug 22, 2024 at 10:23 AM / CVE
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Aug 22, 2024 at 10:23 AM
Static CVE Timeline Graph

Affected Systems

Ibm/openpages_with_watson
+null more

Patches

www.ibm.com
+null more

Links to Mitre Att&cks

T1083: File and Directory Discovery
+null more

Attack Patterns

CAPEC-127: Directory Indexing
+null more

References

Security Bulletin: IBM OpenPages vulnerable to exposure of sensitive information through improper authorization controls on APIs. (CVE-2024-35151)
IBM web domains ibm.com, ibm.dev, ibm.org, ibm-zcouncil.com, insights-on-business.com, jazz.net, merge.com, micromedex.com, mobilebusinessinsights.com, promontory.com, proveit.com, ptech.org, resource.com, s81c.com, securityintelligence.com, skillsbuild.org, softlayer.com, storagecommunity.org, strongloop.com, teacheradvisor.org, think-exchange.com, thoughtsoncloud.com, trusteer.com, truven.com, truvenhealth.com, alphaevents.webcasts.com, betaevents.webcasts.com, ibm-cloud.github.io, ibmbigdatahub.com, bluemix.net, mybluemix.net, ibm.net, ibmcloud.com, redhat.com, galasa.dev, blueworkslive.com, swiss-quantum.ch, altoromutual.com, blueworkslive.cn, blueworkslive.com, cloudant.com, ibm.ie, ibm.fr, ibm.com.br, ibm.co, ibm.ca, silverpop.com, community.watsonanalytics.com, eclinicalos.com, datapower.com, ibmmarketingcloud.com, thinkblogdach.com, truqua.com, my-invenio.com, skills.yourlearning.ibm.com, bluewolf.com, asperasoft.com, instana.com, taos.com, envizi.com, carbondesignsystem.com

News

Missing authentication for critical function in IBM OpenPages
This security bulletin contains one low risk vulnerability. The vulnerability allows a remote user to gain access to potentially sensitive information.
Security Bulletin: IBM OpenPages vulnerable to exposure of sensitive information through improper authorization controls on APIs. (CVE-2024-35151)
Summary A vulnerability caused by improper authorization checks could allow authenticated users access to sensitive information through APIs. Vulnerability Details ** CVEID: CVE-2024-35151 DESCRIPTION: **IBM OpenPages with Watson could allow authenticated users access to sensitive information through improper authorization controls on APIs. CVSS Base score: 6.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/292638 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) Affected Products and Versions Affected Product(s)
Missing authentication for critical function in IBM OpenPages with Watson
The vulnerability allows a remote user to gain access to potentially sensitive information. The vulnerability exists due to improper authorization controls on APIs. A remote user can gain unauthorized access to sensitive information on the system.
NA - CVE-2024-35151 - IBM OpenPages with Watson 8.3 and 9.0 could...
IBM OpenPages with Watson 8.3 and 9.0 could allow authenticated users access to sensitive information through improper authorization controls on APIs.
CVE-2024-35151 IBM OpenPages information disclosure
IBM OpenPages with Watson 8.3 and 9.0 could allow authenticated users access to sensitive information through improper authorization controls on...
See 7 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:None
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI