CVE-2024-45652

Medium

Published: 19 January 2025

Published

19 January 2025

Modified

18 August 2025

KEV Added

—

Patch

—

CVSS Score 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0007 22.1th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

IBM Maximo MXAPIASSET API 7.6.1.3 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system.

Security Summary

CVE-2024-45652 is a directory traversal vulnerability (CWE-22) affecting the IBM Maximo MXAPIASSET API in version 7.6.1.3. It enables a remote attacker to access arbitrary files on the underlying system by sending a specially crafted URL request that includes "dot dot" sequences (/../). The vulnerability has a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N), indicating medium severity with high confidentiality impact but no integrity or availability disruption.

An authenticated remote attacker with low privileges (PR:L) can exploit this over the network with low attack complexity and no user interaction required. By manipulating URL parameters with path traversal sequences, the attacker can read sensitive files outside the intended directory, potentially exposing configuration data, credentials, or other system information.

IBM has published a security bulletin at https://www.ibm.com/support/pages/node/7174820 providing details on the vulnerability and available patches or remediation steps for affected Maximo deployments.

Details

CWE(s): CWE-22

Affected Products

ibm

maximo asset management

7.6.1.3

References

https://www.ibm.com/support/pages/node/7174820
Vendor Advisory · psirt@us.ibm.com