CVE-2024-55898 IBM i privilege escalation

IBM i 7.2, 7.3, 7.4, and 7.5 could allow a user with the capability to compile or restore a program to gain elevated privileges due to an unqualified library call. A malicious actor could cause user-controlled code to run with administrator privilege...

CVE-2024-52895

CVE-2024-52895 affects IBM i 7.4, 7.5 (and 7.6 per IBM bulletin). The issue is a vulnerability where a bypass of a database capabilities restriction check allows a privileged attacker to remove or alter database infrastructure files, leading to a denial of service and possible incorrect behavior ...

CVE-2024-52895 IBM i denial of service

IBM i 7.4 and 7.5 is vulnerable to a database access denial of service caused by a bypass of a database capabilities restriction check. A privileged bad actor can remove or otherwise impact database infrastructure files resulting in incorrect behavior of software products that rely upon the...

Security Bulletin: ISC BIND on IBM i is vulnerable to denial of service attacks due to multiple vulnerabilities.

Summary IBM i Domain Name System DNS uses ISC BIND. ISC BIND on IBM i is vulnerable to denial of service attacks due to errors exploitable by remote attacker as described in the vulnerability details section CVE-2023-4408, CVE-2023-5517, CVE-2023-5679, CVE-2023-6516, CVE-2023-50868. This bulletin...

CVE-2023-47741

CVE-2023-47741 affects IBM Db2 Mirror for i web browser clients and IBM i web browser clients on IBM i 7.3–7.5 (and Db2 Mirror for i 7.4–7.5). The issue allows clear-text passwords to linger in browser memory and be viewable via tools before garbage collection, potentially enabling an attacker wi...

CVE-2023-42006

CVE-2023-42006 affects IBM Administration Runtime Expert for i (versions 7.2–7.5). The root cause is improper authority checks that could allow a local user to obtain sensitive information stored in files (e.g., passwords). The IBM bulletin lists affected releases 7.2–7.5 and provides a remediati...

Security Bulletin: IBM Administration Runtime Expert for i is vulnerable to an attacker obtaining sensitive information due to CVE-2023-42006

Summary IBM Administration Runtime Expert for i could allow sensitive information stored in a file, including passwords, to be obtained by an attacker as described in the vulnerability details section. IBM Administration Runtime Expert for i has addressed the vulnerability with a fix as described...

Privilege escalation

Management Central as part of IBM i 7.2, 7.3, 7.4, and 7.5 Navigator contains a local privilege escalation vulnerability. A malicious actor with command line access to the operating system can exploit this vulnerability to elevate privileges to gain component access to the operating system. IBM...

CVE-2023-40375

Integrated application server for IBM i 7.2, 7.3, 7.4, and 7.5 contains a local privilege escalation vulnerability. A malicious actor with command line access to the host operating system can elevate privileges to gain root access to the host operating system. IBM X-Force ID: 263580...

Security Bulletin: IBM HTTP Server (powered by Apache) for IBM i is vulnerable to HTTP request splitting attacks due to an error using mod_proxy (CVE-2023-25690).

Summary IBM HTTP Server powered by Apache for IBM i is vulnerable to HTTP request splitting attacks due to an error using modproxy as described in the vulnerability details section. IBM i has addressed the vulnerability by providing a fix to the Apache HTTP Server implementation as described in t...

CVE-2023-30988

The CVE-2023-30988 relates to IBM i Facsimile Support for i on IBM i 7.2–7.5, where a local privilege escalation allows a user with OS-level command-line access to obtain root privileges. Affected products and versions: IBM i 7.2, 7.3, 7.4, 7.5 with Facsimile Support for i. Root cause: local priv...

CVE-2023-23470

CVE-2023-23470 affects IBM i versions 7.2–7.5. An authenticated privileged administrator could gain elevated privileges due to improper SQL processing via a specially crafted SQL operation in non-default configurations. Reported impact: C/H I/H A/H with CVSS v3.1 base score 7.2 (PR:H, UI:N, AV:N)...

Security Bulletin: IBM Navigator for i and IBM Digital Certificate Manager for i are vulnerable to attacker obtaining sensitive information due to Java string processing in IBM Toolbox for Java (CVE-2022-43928).

Summary IBM Navigator for i and IBM Digital Certificate Manager for i use the IBM Toolbox for Java to access IBM i interfaces. IBM Toolbox for Java could allow sensitive information stored as Java strings to be obtained by an attacker as described in the vulnerability details section. IBM Navigat...

Security Bulletin: IBM Navigator for i is vulnerable to log file access, obtaining file attributes, and SQL Injection attacks due to multiple vulnerabilities.

Summary IBM Navigator for i provides server administration functionality for IBM i. An authenticated user with authority to interact with IBM Navigator for i is able to download log files, view file attributes, and perform SQL injection attacks as described in the vulnerability details section. I...

CVE-2022-34358

CVE-2022-34358 affects IBM i 7.2–7.5, with a cross-site scripting flaw in the Web UI (Digital Certificate Manager) due to insufficient input validation, enabling arbitrary JavaScript in a trusted session. CVSSv3.1 base score 5.4. Remediation per IBM bulletin: apply PTF fixes to IBM i releases 7.2...

Security Bulletin: IBM WebSphere Application Server Liberty for IBM i is vulnerable to identity spoofing and port status query (CVE-2022-22475 CVE-2022-22393)

Summary IBM WebSphere Application Server Liberty for IBM i is vulnerable to identity spoofing by an authenticated user and the ability to obtain the status of application server ports as described in the vulnerability details section. IBM i has addressed the CVEs by providing fixes to IBM WebSphe...