cnvd - cnvd-2025-12280

cnvd-2025-12280

Vulnerability from cnvd

Title: IBM Application Gateway权限分配不正确漏洞

Description:

IBM Application Gateway是美国国际商业机器（IBM）公司的一个应用网关。提供了一个容器化的安全Web反向代理，该代理旨在位于您的应用程序之前，为您的应用程序无缝添加身份验证和授权保护。

IBM Application Gateway 19.12至24.09版本存在权限分配不正确漏洞，攻击者可利用该漏洞导致本地特权用户执行未授权操作。

Severity: 中

Patch Name: IBM Application Gateway权限分配不正确漏洞的补丁

Patch Description:

IBM Application Gateway 19.12至24.09版本存在权限分配不正确漏洞，攻击者可利用该漏洞导致本地特权用户执行未授权操作。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

厂商已发布了漏洞修复程序，请及时关注更新： https://www.ibm.com/support/pages/node/7235378

Reference: https://www.ibm.com/support/pages/node/7235378

Impacted products

Name
IBM IBM Application Gateway >=19.12，<=24.09

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2024-45655",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2024-45655"
    }
  },
  "description": "IBM Application Gateway\u662f\u7f8e\u56fd\u56fd\u9645\u5546\u4e1a\u673a\u5668\uff08IBM\uff09\u516c\u53f8\u7684\u4e00\u4e2a\u5e94\u7528\u7f51\u5173\u3002\u63d0\u4f9b\u4e86\u4e00\u4e2a\u5bb9\u5668\u5316\u7684\u5b89\u5168Web\u53cd\u5411\u4ee3\u7406\uff0c\u8be5\u4ee3\u7406\u65e8\u5728\u4f4d\u4e8e\u60a8\u7684\u5e94\u7528\u7a0b\u5e8f\u4e4b\u524d\uff0c\u4e3a\u60a8\u7684\u5e94\u7528\u7a0b\u5e8f\u65e0\u7f1d\u6dfb\u52a0\u8eab\u4efd\u9a8c\u8bc1\u548c\u6388\u6743\u4fdd\u62a4\u3002\n\nIBM Application Gateway 19.12\u81f324.09\u7248\u672c\u5b58\u5728\u6743\u9650\u5206\u914d\u4e0d\u6b63\u786e\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u672c\u5730\u7279\u6743\u7528\u6237\u6267\u884c\u672a\u6388\u6743\u64cd\u4f5c\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.ibm.com/support/pages/node/7235378",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2025-12280",
  "openTime": "2025-06-12",
  "patchDescription": "IBM Application Gateway\u662f\u7f8e\u56fd\u56fd\u9645\u5546\u4e1a\u673a\u5668\uff08IBM\uff09\u516c\u53f8\u7684\u4e00\u4e2a\u5e94\u7528\u7f51\u5173\u3002\u63d0\u4f9b\u4e86\u4e00\u4e2a\u5bb9\u5668\u5316\u7684\u5b89\u5168Web\u53cd\u5411\u4ee3\u7406\uff0c\u8be5\u4ee3\u7406\u65e8\u5728\u4f4d\u4e8e\u60a8\u7684\u5e94\u7528\u7a0b\u5e8f\u4e4b\u524d\uff0c\u4e3a\u60a8\u7684\u5e94\u7528\u7a0b\u5e8f\u65e0\u7f1d\u6dfb\u52a0\u8eab\u4efd\u9a8c\u8bc1\u548c\u6388\u6743\u4fdd\u62a4\u3002\r\n\r\nIBM Application Gateway 19.12\u81f324.09\u7248\u672c\u5b58\u5728\u6743\u9650\u5206\u914d\u4e0d\u6b63\u786e\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u672c\u5730\u7279\u6743\u7528\u6237\u6267\u884c\u672a\u6388\u6743\u64cd\u4f5c\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "IBM Application Gateway\u6743\u9650\u5206\u914d\u4e0d\u6b63\u786e\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "IBM IBM Application Gateway \u003e=19.12\uff0c\u003c=24.09"
  },
  "referenceLink": "https://www.ibm.com/support/pages/node/7235378",
  "serverity": "\u4e2d",
  "submitTime": "2025-06-11",
  "title": "IBM Application Gateway\u6743\u9650\u5206\u914d\u4e0d\u6b63\u786e\u6f0f\u6d1e"
}

CVE-2024-45655 (GCVE-0-2024-45655)

Vulnerability from cvelistv5

Published

2025-06-03 14:48

Modified

2025-08-24 11:59

Severity ?

5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CWE

CWE-732 - Incorrect Permission Assignment for Critical Resource

Summary

IBM Application Gateway 19.12 through 24.09 could allow a local privileged user to perform unauthorized actions due to incorrect permissions assignment.

References

▼	URL	Tags
	https://www.ibm.com/support/pages/node/7235378	vendor-advisory, patch

Impacted products

	Vendor	Product	Version
	IBM	Application Gateway	Version: 19.12 ≤ 24.09 cpe:2.3:a:ibm:application_gateway:19.12:::::::* cpe:2.3:a:ibm:application_gateway:24.09:::::::*

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-45655",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-03T14:56:34.475317Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-03T14:56:52.361Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:ibm:application_gateway:19.12:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:application_gateway:24.09:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "product": "Application Gateway",
          "vendor": "IBM",
          "versions": [
            {
              "lessThanOrEqual": "24.09",
              "status": "affected",
              "version": "19.12",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "IBM Application Gateway 19.12 through 24.09 could allow a local privileged user to perform unauthorized actions due to incorrect permissions assignment."
            }
          ],
          "value": "IBM Application Gateway 19.12 through 24.09 could allow a local privileged user to perform unauthorized actions due to incorrect permissions assignment."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-732",
              "description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-24T11:59:21.665Z",
        "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "shortName": "ibm"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://www.ibm.com/support/pages/node/7235378"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "IBM strongly recommends that customers update to the latest versions of software.\u003cbr\u003eThe IBM Verify Identity Access version 24.12.0 fixes these vulnerabilities and can be downloaded with instruction contained in IBM Application Gateway Containers"
            }
          ],
          "value": "IBM strongly recommends that customers update to the latest versions of software.\nThe IBM Verify Identity Access version 24.12.0 fixes these vulnerabilities and can be downloaded with instruction contained in IBM Application Gateway Containers"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "IBM Application Gateway incorrect permission assignment",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
    "assignerShortName": "ibm",
    "cveId": "CVE-2024-45655",
    "datePublished": "2025-06-03T14:48:55.648Z",
    "dateReserved": "2024-09-03T13:50:26.296Z",
    "dateUpdated": "2025-08-24T11:59:21.665Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted