CVE-2024-1604

Published: Mar 18, 2024Modified: Mar 6, 2025

6.8

Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Exploitability: 1.6 / Impact: 5.2

Source: NVD

Description

Improper authorization in the report management and creation module of BMC Control-M branches 9.0.20 and 9.0.21 allows logged-in users to read and make unauthorized changes to any reports available within the application, even without proper permissions. The attacker must know the unique identifier of the report they want to manipulate. Fix for 9.0.20 branch was released in version 9.0.20.238. Fix for 9.0.21 branch was released in version 9.0.21.201.

Affected (2)

Products: Bmc: Control M

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Bmc Control M	From 9.0.20 to 9.0.20.238
Bmc Control M	From 9.0.21 to 9.0.21.201

Related CWEs

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (6)

https://cert.pl/en/posts/2024/03/CVE-2024-1604

Source: cvd@cert.pl

Third Party Advisory

https://cert.pl/posts/2024/03/CVE-2024-1604

Source: cvd@cert.pl

Third Party Advisory

https://www.bmc.com/it-solutions/control-m.html

Source: cvd@cert.pl

Product

https://cert.pl/en/posts/2024/03/CVE-2024-1604

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://cert.pl/posts/2024/03/CVE-2024-1604

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.bmc.com/it-solutions/control-m.html

Source: af854a3a-2127-422b-91ae-364da2661108

Product

Timeline

No history available yet.