Multiple vulnerabilities in IBM MQ Operator
| Risk | Critical |
| Patch available | YES |
| Number of vulnerabilities | 25 |
| CVE-ID | CVE-2023-21939 CVE-2024-35155 CVE-2024-39742 CVE-2024-31912 CVE-2024-35116 CVE-2024-29857 CVE-2024-31919 CVE-2024-22329 CVE-2024-39743 CVE-2023-21937 CVE-2023-21967 CVE-2024-30171 CVE-2024-34447 CVE-2024-27268 CVE-2023-41993 CVE-2023-21930 CVE-2023-21954 CVE-2024-30172 CVE-2023-21938 CVE-2024-35156 CVE-2024-22354 CVE-2024-21085 CVE-2023-51775 CVE-2024-22353 CVE-2024-25026 |
| CWE-ID | CWE-20 CWE-211 CWE-697 CWE-264 CWE-388 CWE-400 CWE-918 CWE-789 CWE-203 CWE-345 CWE-119 CWE-835 CWE-611 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #1 is available. Vulnerability #15 is being exploited in the wild. |
| Vulnerable software |
IBM MQ Operator Server applications / Other server solutions |
| Vendor | IBM Corporation |
Security Bulletin
This security bulletin contains information about 25 vulnerabilities.
1) Improper input validation
EUVDB-ID: #VU75264
Risk: Medium
CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2023-21939
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: Yes
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
The vulnerability exists due to improper input validation within the Swing component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM MQ Operator: 2.0.24 - 3.2.2
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_mq_operator:2.0.24:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_mq_operator:3.2.2:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7159714
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
2) Information exposure through externally-generated error message
EUVDB-ID: #VU93445
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-35155
CWE-ID:
CWE-211 - Externally-generated error message containing sensitive information
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the IBM MQ Console while handling error conditions. A remote attacker can obtain sensitive information on the system.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM MQ Operator: 2.0.24 - 3.2.2
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_mq_operator:2.0.24:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_mq_operator:3.2.2:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7159714
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Incorrect Comparison
EUVDB-ID: #VU109594
Risk: Critical
CVSSv4.0: 7.2 [CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Red]
CVE-ID: CVE-2024-39742
CWE-ID:
CWE-697 - Incorrect Comparison
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a partial string comparison. A remote attacker can bypass authentication under certain configurations and execute arbitrary code on the target system.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM MQ Operator: 2.0.24 - 3.2.2
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_mq_operator:2.0.24:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_mq_operator:3.2.2:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7159714
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU93441
Risk: Medium
CVSSv4.0: 5.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-31912
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote user to escalate privileges on the system.
The vulnerability exists due to application does not properly impose security restrictions, which leads to security restrictions bypass and privilege escalation.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM MQ Operator: 2.0.24 - 3.2.2
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_mq_operator:2.0.24:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_mq_operator:3.2.2:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7159714
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Improper error handling
EUVDB-ID: #VU93442
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-35116
CWE-ID:
CWE-388 - Error Handling
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to an error applying configuration changes. A remote attacker can send specially crafted requests to the application and perform a denial of service (DoS) attack.
Install update from vendor's website.
Vulnerable software versionsIBM MQ Operator: 2.0.24 - 3.2.2
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_mq_operator:2.0.24:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_mq_operator:3.2.2:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7159714
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Resource exhaustion
EUVDB-ID: #VU89218
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-29857
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to library does not properly control consumption of internal resources when importing an EC certificate with specially crafted F2m parameters. A remote attacker can pass a specially crafted certificate to the application to trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM MQ Operator: 2.0.24 - 3.2.2
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_mq_operator:2.0.24:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_mq_operator:3.2.2:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7159714
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Improper error handling
EUVDB-ID: #VU93444
Risk: Medium
CVSSv4.0: 2.1 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-31919
CWE-ID:
CWE-388 - Error Handling
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The
vulnerability exists due to an error caused by an error processing messages when an API Exit using MQBUFMH is used. A remote attacker can perform a denial of service (DoS) attack.
Install update from vendor's website.
Vulnerable software versionsIBM MQ Operator: 2.0.24 - 3.2.2
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_mq_operator:2.0.24:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_mq_operator:3.2.2:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7159714
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Server-Side Request Forgery (SSRF)
EUVDB-ID: #VU88803
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-22329
CWE-ID:
CWE-918 - Server-Side Request Forgery (SSRF)
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.
Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM MQ Operator: 2.0.24 - 3.2.2
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_mq_operator:2.0.24:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_mq_operator:3.2.2:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7159714
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Uncontrolled Memory Allocation
EUVDB-ID: #VU109596
Risk: High
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2024-39743
CWE-ID:
CWE-789 - Uncontrolled Memory Allocation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to incorrect memory de-allocation. A remote attacker can cause the server to consume memory resources and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM MQ Operator: 2.0.24 - 3.2.2
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_mq_operator:2.0.24:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_mq_operator:3.2.2:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7159714
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Improper input validation
EUVDB-ID: #VU75267
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-21937
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
The vulnerability exists due to improper input validation within the Networking component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM MQ Operator: 2.0.24 - 3.2.2
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_mq_operator:2.0.24:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_mq_operator:3.2.2:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7159714
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Improper input validation
EUVDB-ID: #VU75261
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-21967
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the JSSE component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM MQ Operator: 2.0.24 - 3.2.2
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_mq_operator:2.0.24:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_mq_operator:3.2.2:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7159714
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Observable discrepancy
EUVDB-ID: #VU89219
Risk: Medium
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-30171
CWE-ID:
CWE-203 - Observable discrepancy
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to a possible timing based leakage in RSA based handshakes. A remote attacker can gain access to sensitive information.
Install update from vendor's website.
Vulnerable software versionsIBM MQ Operator: 2.0.24 - 3.2.2
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_mq_operator:2.0.24:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_mq_operator:3.2.2:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7159714
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Insufficient verification of data authenticity
EUVDB-ID: #VU89221
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-34447
CWE-ID:
CWE-345 - Insufficient Verification of Data Authenticity
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to hostname verification is performed against a DNS-resolved IP address when endpoint identification is enabled in the BCJSSE and an SSL socket is not created with an explicit hostname. A remote attacker can bypass implemented security restrictions.
Install update from vendor's website.
Vulnerable software versionsIBM MQ Operator: 2.0.24 - 3.2.2
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_mq_operator:2.0.24:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_mq_operator:3.2.2:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7159714
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Resource exhaustion
EUVDB-ID: #VU88136
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-27268
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM MQ Operator: 2.0.24 - 3.2.2
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_mq_operator:2.0.24:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_mq_operator:3.2.2:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7159714
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Buffer overflow
EUVDB-ID: #VU81042
Risk: Critical
CVSSv4.0: 8.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red]
CVE-ID: CVE-2023-41993
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content in WebKit. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Install update from vendor's website.
Vulnerable software versionsIBM MQ Operator: 2.0.24 - 3.2.2
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_mq_operator:2.0.24:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_mq_operator:3.2.2:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7159714
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
16) Improper input validation
EUVDB-ID: #VU75260
Risk: Medium
CVSSv4.0: 6.9 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-21930
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The vulnerability exists due to improper input validation within the JSSE component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM MQ Operator: 2.0.24 - 3.2.2
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_mq_operator:2.0.24:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_mq_operator:3.2.2:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7159714
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
17) Improper input validation
EUVDB-ID: #VU75262
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-21954
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The vulnerability exists due to improper input validation within the Hotspot component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM MQ Operator: 2.0.24 - 3.2.2
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_mq_operator:2.0.24:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_mq_operator:3.2.2:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7159714
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
18) Infinite loop
EUVDB-ID: #VU89220
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-30172
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop in the Ed25519 verification code. A remote attacker can pass a specially signature and public key to the application, consume all available system resources and cause denial of service conditions.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM MQ Operator: 2.0.24 - 3.2.2
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_mq_operator:2.0.24:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_mq_operator:3.2.2:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7159714
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
19) Improper input validation
EUVDB-ID: #VU75265
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-21938
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
The vulnerability exists due to improper input validation within the Libraries component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM MQ Operator: 2.0.24 - 3.2.2
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_mq_operator:2.0.24:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_mq_operator:3.2.2:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7159714
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
20) Information exposure through externally-generated error message
EUVDB-ID: #VU93443
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-35156
CWE-ID:
CWE-211 - Externally-generated error message containing sensitive information
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application while handling error conditions. A remote attacker can obtain sensitive information on the system.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM MQ Operator: 2.0.24 - 3.2.2
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_mq_operator:2.0.24:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_mq_operator:3.2.2:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7159714
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
21) XML External Entity injection
EUVDB-ID: #VU88802
Risk: High
CVSSv4.0: 6.8 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2024-22354
CWE-ID:
CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to insufficient validation of user-supplied XML input. A remote attacker can pass a specially crafted XML code to the affected application and view contents of arbitrary files on the system or initiate requests to external systems.
Successful exploitation of the vulnerability may allow an attacker to view contents of arbitrary file on the server or perform network scanning of internal and external infrastructure.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM MQ Operator: 2.0.24 - 3.2.2
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_mq_operator:2.0.24:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_mq_operator:3.2.2:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7159714
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
22) Improper input validation
EUVDB-ID: #VU88665
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-21085
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the Concurrency component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM MQ Operator: 2.0.24 - 3.2.2
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_mq_operator:2.0.24:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_mq_operator:3.2.2:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7159714
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
23) Resource exhaustion
EUVDB-ID: #VU88173
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-51775
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion via large p2c (aka PBES2 Count) value and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM MQ Operator: 2.0.24 - 3.2.2
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_mq_operator:2.0.24:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_mq_operator:3.2.2:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7159714
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
24) Resource exhaustion
EUVDB-ID: #VU88123
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-22353
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM MQ Operator: 2.0.24 - 3.2.2
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_mq_operator:2.0.24:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_mq_operator:3.2.2:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7159714
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
25) Resource exhaustion
EUVDB-ID: #VU88977
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-25026
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when handling HTTP requests. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM MQ Operator: 2.0.24 - 3.2.2
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_mq_operator:2.0.24:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_mq_operator:3.2.2:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7159714
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
