Severity
Medium
Analysis Summary
CVE-2024-49819 CVSS:4.1
IBM Security Guardium Key Lifecycle Manager 4.1, 4.1.1, 4.2.0, and 4.2.1 could allow a remote attacker to obtain sensitive information in cleartext in a communication channel that can be sniffed by unauthorized actors.
CVE-2024-49340 CVSS:4.3
IBM Watson Studio Local 1.2.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.
CVE-2024-52360 CVSS:4.7
IBM Concert Software 1.0.0, 1.0.1, 1.0.2, and 1.0.2.1 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or delete information in the back-end database.
CVE-2024-52899 CVSS:6
IBM Data Virtualization Manager for z/OS 1.1 and 1.2 could allow an authenticated user to inject malicious JDBC URL parameters and execute code on the server.
CVE-2024-54181 CVSS:5.9
IBM WebSphere Automation 1.7.5 could allow a remote privileged user, who has authorized access to the swagger UI, to execute arbitrary code. Using specially crafted input, the user could exploit this vulnerability to execute arbitrary code on the system.
Impact
- Information Disclosure
- Data Manipulation
- Gain Access
Indicators of Compromise
CVE
CVE-2024-49819
CVE-2024-49340
CVE-2024-52360
CVE-2024-52899
CVE-2024-54181
Affected Vendors
Affected Products
- IBM Watson Studio Local 1.2.3
- IBM Data Virtualization Manager for z/OS 1.1 and 1.2
- IBM WebSphere Automation 1.7.5
- IBM Security Guardium Key Lifecycle Manager -4.1.1
- IBM Security Guardium Key Lifecycle Manager -4.2.0
- IBM Security Guardium Key Lifecycle Manager -4.2.1
- IBM Concert Software-1.0.1
- IBM Concert Software 1.0.0
- IBM Concert Software -1.0.2
- IBM Concert Software - 1.0.2.1
Remediation
Refer to IBM Security Bulletin for patch, upgrade, or suggested workaround information.