CVE-2024-38337

Critical

Published: 19 January 2025

Published

19 January 2025

Modified

25 July 2025

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0011 28.7th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

IBM Sterling Secure Proxy 6.0.0.0, 6.0.0.1, 6.0.0.2, 6.0.0.3, 6.1.0.0, and 6.2.0.0 could allow an unauthorized attacker to retrieve or alter sensitive information contents due to incorrect permission assignments.

Security Summary

CVE-2024-38337 is a high-severity vulnerability (CVSS 9.1, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) affecting IBM Sterling Secure Proxy versions 6.0.0.0, 6.0.0.1, 6.0.0.2, 6.0.0.3, 6.1.0.0, and 6.2.0.0. The issue stems from incorrect permission assignments (CWE-732), which could enable an unauthorized attacker to retrieve or alter sensitive information contents.

The vulnerability is exploitable remotely over the network by an unauthenticated attacker (PR:N) with low attack complexity and no user interaction required. Successful exploitation would grant high-impact access to confidential data (C:H) and allow modifications to it (I:H), without affecting availability (A:N), potentially leading to data breaches or unauthorized changes in a proxy environment handling secure communications.

IBM has published a security advisory with details on mitigation and patches at https://www.ibm.com/support/pages/node/7179166. Security practitioners should review it for version-specific remediation steps.

Details

CWE(s): CWE-732

Affected Products

ibm

sterling secure proxy

6.1.0.0, 6.2.0.0 · 6.0.0.0 — 6.0.3.1

References

https://www.ibm.com/support/pages/node/7179166
Vendor Advisory · psirt@us.ibm.com