10

CVE-2024-28787

IBM Security Verify Access information disclosure

IBM Security Verify Access 10.0.0 through 10.0.7 and IBM Application Gateway 20.01 through 24.03 could allow a remote attacker to obtain highly sensitive private information or cause a denial of service using a specially crafted HTTP request.  IBM X-Force ID:  286584.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
IbmApplication Gateway Version >= 20.01 <= 24.03
IbmSecurity Verify Access Version >= 10.0.0 <= 10.0.7
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.82% 0.522
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 10 3.9 5.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H
psirt@us.ibm.com 8.7 2.2 5.8
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:H
CWE-650 Trusting HTTP Permission Methods on the Server Side

The server contains a protection mechanism that assumes that any URI that is accessed using HTTP GET will not cause a state change to the associated resource. This might allow attackers to bypass intended access restrictions and conduct resource modification and deletion attacks, since some applications allow GET to modify state.

https://exchange.xforce.ibmcloud.com/vulnerabilities/286584
Vendor Advisory
https://www.ibm.com/support/pages/node/7145828
Vendor Advisory