CVE-2024-49348: IBM Cloud Pak for Business Automation incorrect privilege assignment
First published: Tue Feb 04 2025(Updated: )
IBM Business Automation Workflow allows restricting access to organizational data to valid contexts. The fact that tasks of type comment can be reassigned via API implicitly grants access to user queries in an unexpected context.
Credit: psirt@us.ibm.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| IBM Cloud Pak for Business Automation | >=18.0.0<=22.0.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-49348?
CVE-2024-49348 is rated as a high-severity vulnerability due to its potential for unauthorized access to sensitive data.
How do I fix CVE-2024-49348?
To mitigate CVE-2024-49348, update your IBM Cloud Pak for Business Automation to version 22.0.3 or later.
What systems are affected by CVE-2024-49348?
CVE-2024-49348 affects IBM Cloud Pak for Business Automation versions 18.0.0 through 22.0.2.
What types of data are at risk due to CVE-2024-49348?
CVE-2024-49348 may result in unauthorized access to organizational data through user queries.
Is there a workaround for CVE-2024-49348?
Currently, there are no official workarounds for CVE-2024-49348 other than applying the recommended updates.
- collector/mitre-cve
- source/MITRE
- collector/ibm-support
- source/IBM
- agent/title
- agent/weakness
- agent/references
- agent/type
- agent/description
- agent/first-publish-date
- agent/guess-ai
- agent/software-canonical-lookup
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- agent/last-modified-date
- agent/author
- agent/source
- agent/severity
- agent/tags
- agent/event
- vendor/ibm
- canonical/ibm cloud pak for business automation