IBM Security Verify Access Docker

IBM Verify Access hardcoded creds v10-11 CVE-2025-36087
CVE-2025-36087 8.1 - High - October 13, 2025

IBM Security Verify Access 10.0.0 through 10.0.9, 11.0.0, IBM Verify Identity Access Container 10.0.0 through 10.0.9, and 11.0.0, under certain configurations, contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

Use of Hard-coded Credentials

Unauth Cmd Exec in IBM Verify Access Docker 10.0-9.0 & 11.0-1.0
CVE-2025-36354 7.3 - High - October 06, 2025

IBM Security Verify Access and IBM Security Verify Access Docker 10.0.0.0 through 10.0.9.0 and 11.0.0.0 through 11.0.1.0 could allow an unauthenticated user to execute arbitrary commands with lower user privileges on the system due to improper validation of user supplied input.

Shell injection

IBM Security Verify Access <=10.0.9.0/<=11.0.1.0 Auth Script Exec CVE-2025-36355
CVE-2025-36355 8.5 - High - October 06, 2025

IBM Security Verify Access and IBM Security Verify Access Docker 10.0.0.0 through 10.0.9.0 and 11.0.0.0 through 11.0.1.0 could allow a locally authenticated user to execute malicious scripts from outside of its control sphere.

Inclusion of Functionality from Untrusted Control Sphere

IBM Security Verify Access Docker LPE before 11.0.1.0
CVE-2025-36356 9.3 - Critical - October 06, 2025

IBM Security Verify Access and IBM Security Verify Access Docker 10.0.0.0 through 10.0.9.0 and 11.0.0.0 through 11.0.1.0 could allow a locally authenticated user to escalate their privileges to root due to execution with more privileges than required.

Execution with Unnecessary Privileges

IBM Verify Access 10.0/10.0.8: Username Enumeration via Disabled Account Resp.
CVE-2025-0163 5.3 - Medium - June 11, 2025

IBM Security Verify Access Appliance and Docker 10.0 through 10.0.8 could allow a remote attacker to enumerate usernames due to an observable response discrepancy of disabled accounts.

Observable Response Discrepancy

IBM Security Verify Access 10.0.0-10.0.8 Password Reset Exploit
CVE-2024-45647 9.8 - Critical - January 20, 2025

IBM Security Verify Access 10.0.0 through 10.0.8 and IBM Security Verify Access Docker 10.0.0 through 10.0.8 could allow could an unverified user to change the password of an expired user without prior knowledge of that password.

Unverified Password Change

IBM Verify Access Docker 10.0.0-10.0.6 Priv Esc via Unnecessary Priv Exec
CVE-2024-35141 7.8 - High - December 19, 2024

IBM Security Verify Access Docker 10.0.0 through 10.0.6 could allow a local user to escalate their privileges due to execution of unnecessary privileges.

Execution with Unnecessary Privileges

IBM Security Verify Access 10.0.0-10.0.8 OIDC Open Redirect Phishing
CVE-2024-35133 8.2 - High - August 29, 2024

IBM Security Verify Access 10.0.0 through 10.0.8 OIDC Provider could allow a remote authenticated attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim.

Open Redirect

IBM Security Access Manager Docker <=10.0.7.1 Local User Info Disclosure via Incorrect Permissions
CVE-2024-35139 6.2 - Medium - June 28, 2024

IBM Security Access Manager Docker 10.0.0.0 through 10.0.7.1 could allow a local user to obtain sensitive information from the container due to incorrect default permissions. IBM X-Force ID: 292415.

Incorrect Default Permissions

IBM SAM Docker 10.0.0.0-10.0.7.1 Local Priv Escalation via Config Leak
CVE-2024-35137 6.2 - Medium - June 28, 2024

IBM Security Access Manager Docker 10.0.0.0 through 10.0.7.1 could allow a local user to possibly elevate their privileges due to sensitive configuration information being exposed. IBM X-Force ID: 292413.

Empty Password in Configuration File

IBM SAM Docker 10.0.0.0-10.0.7.1: Malicious Package Install Vulnerability
CVE-2023-38370 7.5 - High - June 27, 2024

IBM Security Access Manager Docker 10.0.0.0 through 10.0.7.1, under certain configurations, could allow a user on the network to install malicious packages. IBM X-Force ID: 261197.

Incorrect Default Permissions

IBM Security Access Manager Docker 10.0.0.0-10.0.7.1 Local Info Disclosure
CVE-2023-38368 5.5 - Medium - June 27, 2024

IBM Security Access Manager Docker 10.0.0.0 through 10.0.7.1 could disclose sensitive information to a local user to do improper permission controls. IBM X-Force ID: 261195.

AuthZ

Root Escalation via Improper Access Controls in IAM Docker 10.0.7.1
CVE-2023-30998 7.8 - High - June 27, 2024

IBM Security Access Manager Docker 10.0.0.0 through 10.0.7.1 could allow a local user to obtain root access due to improper access controls. IBM X-Force ID: 254649.

Execution with Unnecessary Privileges

IBM Access Manager Docker local privilege escalation (10.0.0.010.0.7.1)
CVE-2023-30997 7.8 - High - June 27, 2024

IBM Security Access Manager Docker 10.0.0.0 through 10.0.7.1 could allow a local user to obtain root access due to improper access controls. IBM X-Force ID: 254638.

Execution with Unnecessary Privileges

IBM SAM Docker 10.0.0.0-10.0.7.1 Weak Crypto Decrypt
CVE-2023-38371 5.9 - Medium - June 27, 2024

IBM Security Access Manager Docker 10.0.0.0 through 10.0.7.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 261198.

Use of a Broken or Risky Cryptographic Algorithm

IBM SV Access Docker 10.0.0-10.0.6 Local Priv Esc via Unnecessary Priv Exec
CVE-2024-35142 8.4 - High - May 31, 2024

IBM Security Verify Access Docker 10.0.0 through 10.0.6 could allow a local user to escalate their privileges due to execution of unnecessary privileges. IBM X-Force ID: 292418.

Execution with Unnecessary Privileges

IBM Security Verify Access Docker 10.x Improper Cert Validation PrivEsc
CVE-2024-35140 7.7 - High - May 31, 2024

IBM Security Verify Access Docker 10.0.0 through 10.0.6 could allow a local user to escalate their privileges due to improper certificate validation. IBM X-Force ID: 292416.

Improper Certificate Validation

IBM Security Verify Access 10.0.6: Snapshot Disclosure via Missing Encryption
CVE-2024-25027 6.2 - Medium - March 31, 2024

IBM Security Verify Access 10.0.6 could disclose sensitive snapshot information due to missing encryption. IBM X-Force ID: 281607.

Missing Encryption of Sensitive Data

IBM Verify Access 10.0.0-10.0.6.1: Privileged User Install Config File Remote Access
CVE-2023-43017 8.2 - High - February 07, 2024

IBM Security Verify Access 10.0.0.0 through 10.0.6.1 could allow a privileged user to install a configuration file that could allow remote access. IBM X-Force ID: 266155.

Improper Certificate Validation

IBM Security Access Manager Cont <10.0.6.1: Weak Default Docker Passwords
CVE-2023-38369 6.2 - Medium - February 07, 2024

IBM Security Access Manager Container 10.0.0.0 through 10.0.6.1 does not require that docker images should have strong passwords by default, which makes it easier for attackers to compromise user accounts. IBM X-Force ID: 261196.

Weak Password Requirements

IBM Verify Access <=10.0.6.1 Remote Server Control via Insecure Calls
CVE-2023-32330 7.5 - High - February 07, 2024

IBM Security Verify Access 10.0.0.0 through 10.0.6.1 uses insecure calls that could allow an attacker on the network to take control of the server. IBM X-Force ID: 254977.

Improper Certificate Validation

IBM Security Verify Access 10.0.0.0-10.0.6.1 Insecure Protocols Allow Server Takeover
CVE-2023-32328 7.5 - High - February 07, 2024

IBM Security Verify Access 10.0.0.0 through 10.0.6.1 uses insecure protocols in some instances that could allow an attacker on the network to take control of the server. IBM X-Force Id: 254957.

Cleartext Transmission of Sensitive Information

IBM Security Access Manager Container 10.0.0.0-10.0.6.1 Local File Access Leak
CVE-2023-31002 5.1 - Medium - February 07, 2024

IBM Security Access Manager Container 10.0.0.0 through 10.0.6.1 temporarily stores sensitive information in files that could be accessed by a local user. IBM X-Force ID: 254657.

Unprotected Storage of Credentials

IBM Verify Access Container DoS via Resource Exhaustion CVE-2023-30999
CVE-2023-30999 7.5 - High - February 03, 2024

IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) could allow an attacker to cause a denial of service due to uncontrolled resource consumption. IBM X-Force ID: 254651.

Resource Exhaustion

IBM Security Verify Access v10.0.0.0-10.0.6.1 Remote Login via Empty Password
CVE-2023-43016 7.3 - High - February 03, 2024

IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) could allow a remote user to log into the server due to a user account with an empty password. IBM X-Force ID: 266154.

Empty Password in Configuration File

IBM Security Verify Access 10.x Improper File Validation Allows Unauthorized Repository Download
CVE-2023-32329 6.2 - Medium - February 03, 2024

IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) could allow a user to download files from an incorrect repository due to improper file validation. IBM X-Force ID: 254972.

Insufficient Verification of Data Authenticity

Remote System Access via MITM in IBM Verify Access 10.0.0.0-10.0.6.1
CVE-2023-31004 8.3 - High - February 03, 2024

IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) could allow a remote attacker to gain access to the underlying system using man in the middle techniques. IBM X-Force ID: 254765.

Man-in-the-Middle / MITM

IBM Verify Access XXE Vulnerability 10.0.0.0-10.0.6.1
CVE-2023-32327 7.1 - High - February 03, 2024

IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 254783.

XXE

IBM Verify Access Container DoS on DSC Before 10.0.6.1
CVE-2023-31006 6.5 - Medium - February 03, 2024

IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) is vulnerable to a denial of service attacks on the DSC server. IBM X-Force ID: 254776.

Resource Exhaustion

IBM Verify Access 10.0-10.0.6.1 Local Priv Escalation via Misconfig
CVE-2023-31005 6.2 - Medium - February 03, 2024

IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) could allow a local user to escalate their privileges due to an improper security configuration. IBM X-Force ID: 254767.

Improper Privilege Management

IBM VSA Container: Sensitive Info Leak via Local File Access
CVE-2023-31001 5.1 - Medium - January 11, 2024

IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.6.1) temporarily stores sensitive information in files that could be accessed by a local user. IBM X-Force ID: 254653.

Storing Passwords in a Recoverable Format

IBM Verify Access Root Escalation via Improper ACL (10.0.0.0-10.0.6.1)
CVE-2023-31003 8.4 - High - January 11, 2024

IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.6.1) could allow a local user to obtain root access due to improper access controls. IBM X-Force ID: 254658.

insecure temporary file

IBM Verify Access 10.0.x Priv Escalation via Exposed Config
CVE-2023-38267 6.2 - Medium - January 11, 2024

IBM Security Access Manager Appliance (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.6.1) could allow a local user to possibly elevate their privileges due to sensitive configuration information being exposed. IBM X-Force ID: 260584.

Missing Encryption of Sensitive Data

HTTP Header Injection via HOST Header in IBM Verify Access 10.0.0-10.0.4
CVE-2022-36775 6.5 - Medium - February 17, 2023

IBM Security Verify Access 10.0.0.0, 10.0.1.0, 10.0.2.0, 10.0.3.0, and10.0.4.0 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM X-Force ID: 233576.

Injection

IBM Security Verify Access 10.0.0.0, 10.0.1.0 and 10.0.2.0 with the advanced access control authentication service enabled could
CVE-2021-39070 9.8 - Critical - February 02, 2022

IBM Security Verify Access 10.0.0.0, 10.0.1.0 and 10.0.2.0 with the advanced access control authentication service enabled could allow an attacker to authenticate as any user on the system. IBM X-Force ID: 215353.

IBM Security Verify Access Docker 10.0.0 could allow an authenticated user to bypass input due to improper input validation
CVE-2021-20496 - July 15, 2021

IBM Security Verify Access Docker 10.0.0 could allow an authenticated user to bypass input due to improper input validation. IBM X-Force ID: 197966.

IBM Security Verify Access Docker 10.0.0 uses weaker than expected cryptographic algorithms
CVE-2021-20497 - July 15, 2021

IBM Security Verify Access Docker 10.0.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 197969

IBM Security Verify Access Docker 10.0.0 reveals version information in HTTP requests
CVE-2021-20498 - July 15, 2021

IBM Security Verify Access Docker 10.0.0 reveals version information in HTTP requests that could be used in further attacks against the system. IBM X-Force ID: 197972.

IBM Security Verify Access Docker 10.0.0 could
CVE-2021-20499 - July 15, 2021

IBM Security Verify Access Docker 10.0.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 197973

IBM Security Verify Access Docker 10.0.0 could reveal highly sensitive information to a local privileged user
CVE-2021-20500 - July 15, 2021

IBM Security Verify Access Docker 10.0.0 could reveal highly sensitive information to a local privileged user. IBM X-Force ID: 197980.

IBM Security Verify Access Docker 10.0.0 stores user credentials in plain clear text which can be read by a local user
CVE-2021-20510 - July 15, 2021

IBM Security Verify Access Docker 10.0.0 stores user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 198299

IBM Security Verify Access Docker 10.0.0 could allow a remote attacker to traverse directories on the system
CVE-2021-20511 - July 15, 2021

IBM Security Verify Access Docker 10.0.0 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 198300.

IBM Security Verify Access Docker 10.0.0 could
CVE-2021-20523 - July 15, 2021

IBM Security Verify Access Docker 10.0.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 198660

IBM Security Verify Access Docker 10.0.0 is vulnerable to cross-site scripting
CVE-2021-20524 - July 15, 2021

IBM Security Verify Access Docker 10.0.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 198661.

IBM Security Verify Access Docker 10.0.0 could
CVE-2021-20533 - July 15, 2021

IBM Security Verify Access Docker 10.0.0 could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request. IBM X-Force ID: 198813

IBM Security Verify Access Docker 10.0.0 could allow a remote attacker to conduct phishing attacks, using an open redirect attack
CVE-2021-20534 - July 15, 2021

IBM Security Verify Access Docker 10.0.0 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim. IBM X-Force ID: 198814

IBM Security Verify Access Docker 10.0.0 contains hard-coded credentials, such as a password or cryptographic key
CVE-2021-20537 - July 15, 2021

IBM Security Verify Access Docker 10.0.0 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID:198918

IBM Security Access Manager 9.0 and IBM Security Verify Access Docker 10.0.0 stores user credentials in plain clear text
CVE-2021-20439 - July 15, 2021

IBM Security Access Manager 9.0 and IBM Security Verify Access Docker 10.0.0 stores user credentials in plain clear text which can be read by an unauthorized user.