CVE-2024-45647
Published: 20 January 2025
Description
IBM Security Verify Access 10.0.0 through 10.0.8 and IBM Security Verify Access Docker 10.0.0 through 10.0.8 could allow could an unverified user to change the password of an expired user without prior knowledge of that password.
Security Summary
CVE-2024-45647 is a vulnerability in IBM Security Verify Access versions 10.0.0 through 10.0.8, including the Docker edition (versions 10.0.0 through 10.0.8), that enables an unverified user to change the password of an expired user account without prior knowledge of that password. Published on 2025-01-20, the issue carries a CVSS v3.1 base score of 5.6 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L) and maps to CWE-620 (Unverified Password Change) as well as NVD-CWE-Other.
An unauthenticated attacker (PR:N) with network access (AV:N) can exploit this flaw, though it demands high attack complexity (AC:H) and involves no user interaction (UI:N). Exploitation allows the attacker to reset the password of an expired user, resulting in low impacts to confidentiality, integrity, and availability (C:L/I:L/A:L) within the unchanged security scope (S:U).
IBM provides details on the vulnerability, affected versions, and remediation steps in its security advisory at https://www.ibm.com/support/pages/node/7176212.
Details
- CWE(s)