CVE-2024-49782

Medium

Published: 20 February 2025

Published

20 February 2025

Modified

11 March 2025

KEV Added

—

Patch

—

CVSS Score 6.8 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H

EPSS Score 0.0021 42.9th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

IBM OpenPages with Watson 8.3 and 9.0 could allow a remote attacker to spoof mail server identity when using SSL/TLS security. An attacker could exploit this vulnerability to gain access to sensitive information disclosed through email notifications generated by OpenPages or disrupt notification delivery.

Security Summary

CVE-2024-49782 affects IBM OpenPages with Watson versions 8.3 and 9.0, where the software could allow a remote attacker to spoof the mail server identity when using SSL/TLS security. This vulnerability stems from improper certificate validation, mapped to CWE-297 (Improper Validation of Certificate with Host Mismatch) and CWE-295 (Improper Certificate Validation). It has a CVSS v3.1 base score of 6.8 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H), indicating medium severity with network accessibility, high attack complexity, low privileges required, high confidentiality impact, and high availability impact.

A remote attacker with low privileges could exploit this vulnerability to spoof the mail server identity during SSL/TLS connections used for email notifications generated by OpenPages. Successful exploitation would enable the attacker to access sensitive information disclosed through these notifications or disrupt their delivery entirely.

The IBM security advisory at https://www.ibm.com/support/pages/node/7183541 provides details on mitigation, including available patches for the affected versions.

Details

CWE(s): CWE-297CWE-295

Affected Products

ibm

openpages with watson

8.3 — 8.3.0.3 · 9.0 — 9.0.0.5

References

https://www.ibm.com/support/pages/node/7183541
Vendor Advisory · psirt@us.ibm.com