CVE-2024-1604: Incorrect authorization in BMC Control-M
First published: Mon Mar 18 2024(Updated: )
Improper authorization in the report management and creation module of BMC Control-M branches 9.0.20 and 9.0.21 allows logged-in users to read and make unauthorized changes to any reports available within the application, even without proper permissions. The attacker must know the unique identifier of the report they want to manipulate. Fix for 9.0.20 branch was released in version 9.0.20.238. Fix for 9.0.21 branch was released in version 9.0.21.201.
Credit: cvd@cert.pl
| Affected Software | Affected Version | How to fix |
|---|---|---|
| BMC Control-M/Agent | >=9.0.20<=9.0.21 | |
| >=9.0.20<9.0.20.238 | ||
| >=9.0.21<9.0.21.201 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-1604?
CVE-2024-1604 is considered a high severity vulnerability due to improper authorization allowing unauthorized access to sensitive report data.
How do I fix CVE-2024-1604?
To fix CVE-2024-1604, upgrade BMC Control-M to the latest version that addresses the authorization issues.
Who is affected by CVE-2024-1604?
CVE-2024-1604 affects users of BMC Control-M versions 9.0.20 and 9.0.21.
What can attackers do with CVE-2024-1604?
Attackers can exploit CVE-2024-1604 to read and modify reports in BMC Control-M without proper permissions.
When was CVE-2024-1604 disclosed?
CVE-2024-1604 was disclosed in March 2024.
- agent/title
- agent/references
- agent/first-publish-date
- agent/type
- agent/severity
- agent/author
- agent/event
- collector/mitre-cve
- source/MITRE
- collector/nvd-api
- source/NVD
- agent/weakness
- agent/last-modified-date
- agent/description
- agent/source
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/bmc
- canonical/bmc control-m/agent