Improper authorization in IBM Storage Protect for Virtual Environments: Data Protection for VMware
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2024-38329 |
| CWE-ID | CWE-285 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Storage Protect for Virtual Environments: Data Protection for VMware Other software / Other software solutions |
| Vendor | IBM Corporation |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Improper Authorization
EUVDB-ID: #VU94819
Risk: Low
CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-38329
CWE-ID:
CWE-285 - Improper Authorization
Exploit availability: No
DescriptionThe vulnerability allows a remote user to bypass security restrictions.
The vulnerability exists due to improper validation of user permission. A remote user can send a specially crafted request and exploit this vulnerability to change settings, trigger backups, restore backups, and also delete all previous backups via log rotation.
MitigationInstall update from vendor's website.
Vulnerable software versionsStorage Protect for Virtual Environments: Data Protection for VMware: before 8.1.23.0
CPE2.3 External linkshttps://www.ibm.com/support/pages/node/7157929
https://exchange.xforce.ibmcloud.com/vulnerabilities/294994
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
