CVE-2024-31903

High

Published: 22 January 2025

Published

22 January 2025

Modified

05 March 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.1819 95.2th percentile

Risk Priority 29 60% EPSS · 20% KEV · 20% CVSS

Description

IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.2 allow an attacker on the local network to execute arbitrary code on the system, caused by the deserialization of untrusted data.

Security Summary

CVE-2024-31903 is a high-severity vulnerability (CVSS 8.8) in IBM Sterling B2B Integrator Standard Edition, affecting versions 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.2. It stems from CWE-502, the deserialization of untrusted data, which enables an attacker on the local network to execute arbitrary code on the system.

An unauthenticated attacker with adjacent network access (AV:A) can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N), requiring no privileges (PR:N) and maintaining unchanged scope (S:U). Successful exploitation grants high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), allowing full arbitrary code execution on the targeted system.

IBM has published details and mitigation guidance in its security bulletin at https://www.ibm.com/support/pages/node/7172233, published on 2025-01-22. Security practitioners should consult this advisory for patching instructions and workarounds applicable to the affected versions.

Details

CWE(s): CWE-502

Affected Products

ibm

sterling b2b integrator

6.0.0.0 — 6.1.2.5 · 6.2.0.0 — 6.2.0.2

References

https://www.ibm.com/support/pages/node/7172233
Vendor Advisory · psirt@us.ibm.com