CVE-2024-49348

Published: Feb 5, 2025Modified: Aug 12, 2025

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

IBM Cloud Pak for Business Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, and 22.0.2 allows restricting access to organizational data to valid contexts. The fact that tasks of type comment can be reassigned via API implicitly grants access to user queries in an unexpected context.

Affected (14)

Products: Ibm: Cloud Pak For Business Automation

Ibm

1 product

Cloud Pak For Business Automation

Configuration A

14 vulnerable

Vulnerable Software	Affected Versions
Ibm Cloud Pak For Business Automation	Version 18.0.0
Ibm Cloud Pak For Business Automation	Version 18.0.1
Ibm Cloud Pak For Business Automation	Version 18.0.2
Ibm Cloud Pak For Business Automation	Version 19.0.1
Ibm Cloud Pak For Business Automation	Version 19.0.2
Ibm Cloud Pak For Business Automation	Version 19.0.3
Ibm Cloud Pak For Business Automation	Version 20.0.1
Ibm Cloud Pak For Business Automation	Version 20.0.2
Ibm Cloud Pak For Business Automation	Version 20.0.3
Ibm Cloud Pak For Business Automation	Version 21.0.1
Ibm Cloud Pak For Business Automation	Version 21.0.2
Ibm Cloud Pak For Business Automation	Version 21.0.3
Ibm Cloud Pak For Business Automation	Version 22.0.1
Ibm Cloud Pak For Business Automation	Version 22.0.2

Related CWEs

CWE-266

Incorrect Privilege Assignment

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

References (1)

https://www.ibm.com/support/pages/node/7182403

Source: psirt@us.ibm.com

Vendor Advisory

Timeline

No history available yet.