Severity
Medium
Analysis Summary
CVE-2023-47726 CVSS:7.1
IBM QRadar Suite Software 1.10.12.0 through 1.10.21.0 and IBM Cloud Pak for Security 1.10.12.0 through 1.10.21.0 could allow an authenticated user to execute certain arbitrary commands due to improper input validation.
CVE-2024-31870 CVSS:3.3
IBM Db2 for i 7.2, 7.3, 7.4, and 7.5 supplies user defined table function is vulnerable to user enumeration by a local authenticated attacker, without having authority to the related *USRPRF objects. This can be used by a malicious actor to gather information about users that can be targeted in further attacks.
CVE-2024-27275 CVSS:7.4
IBM i 7.2, 7.3, 7.4, and 7.5 contains a local privilege escalation vulnerability caused by an insufficient authority requirement. A local user without administrator privilege can configure a physical file trigger to execute with the privileges of a user socially engineered to access the target file. The correction is to require administrator privilege to configure trigger support.
CVE-2024-22333 CVSS:4
IBM Maximo Asset Management 7.6.1.3 and IBM Maximo Application Suite 8.10 and 8.11 allows web pages to be stored locally which can be read by another user on the system.
CVE-2024-25052 CVSS:4.4
IBM Jazz Reporting Service 7.0.3 stores user credentials in plain clear text which can be read by an admin user.
Impact
- Gain Access
- Information Disclosure
- Privilege Escalation
Indicators of Compromise
CVE
- CVE-2023-47726
- CVE-2024-31870
- CVE-2024-27275
- CVE-2024-22333
- CVE-2024-25052
Affected Vendors
Affected Products
- IBM i 7.2
- IBM i 7.3
- IBM i 7.4
- IBM Maximo Asset Management 7.6.1.3
- IBM Cloud Pak for Security 1.10.0.0
- IBM i 7.5
- IBM Cloud Pak for Security 1.10.11.0
- IBM QRadar Suite Software 1.10.12.0
- IBM Maximo Application Suite 8.10
- IBM Maximo Application Suite 8.11
- IBM QRadar Suite Software 1.10.21.0
- IBM Jazz Reporting Service 7.0.3
Remediation
Refer to IBM Security Advisory for patch, upgrade or suggested workaround information.