CVE-2024-27256

Medium

Published: 27 January 2025

Published

27 January 2025

Modified

18 August 2025

KEV Added

—

Patch

—

CVSS Score 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0009 25.1th percentile

Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Description

IBM MQ Container 3.0.0, 3.0.1, 3.1.0 through 3.1.3 CD, 2.0.0 LTS through 2.0.22 LTS and 2.4.0 through 2.4.8, 2.3.0 through 2.3.3, 2.2.0 through 2.2.2 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.

Security Summary

CVE-2024-27256 is a cryptographic weakness in IBM MQ Container, specifically versions 3.0.0, 3.0.1, 3.1.0 through 3.1.3 CD, 2.0.0 LTS through 2.0.22 LTS, 2.4.0 through 2.4.8, 2.3.0 through 2.3.3, and 2.2.0 through 2.2.2. The issue stems from the use of weaker than expected cryptographic algorithms (CWE-327), which could enable decryption of highly sensitive information. It carries a CVSS v3.1 base score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

An unauthenticated attacker with network access could potentially exploit this vulnerability. Exploitation requires high attack complexity, with no privileges or user interaction needed. If successful, the attacker could achieve high-impact confidentiality loss by decrypting sensitive data, without impacting integrity or availability.

IBM provides details on mitigation in its security advisory at https://www.ibm.com/support/pages/node/7157667.

Details

CWE(s): CWE-327

Affected Products

ibm

mq operator

3.0.0, 3.0.1 · 2.0.0 — 2.0.22 · 2.2.0 — 2.2.2 · 2.3.0 — 2.3.3

ibm

supplied mq advanced container images

9.2.0.1, 9.2.0.2, 9.2.0.4, 9.2.0.5, 9.2.0.6

References

https://www.ibm.com/support/pages/node/7157667
Vendor Advisory · psirt@us.ibm.com