IBM Security Verify Access 10.0.0-10.0.8 Password Reset Exploit
CVE-2024-45647 Published on January 20, 2025

IBM Security Verify Access unverified password change
IBM Security Verify Access 10.0.0 through 10.0.8 and IBM Security Verify Access Docker 10.0.0 through 10.0.8 could allow could an unverified user to change the password of an expired user without prior knowledge of that password.

NVD

Vulnerability Analysis

CVE-2024-45647 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be low. considered to have a small impact on confidentiality and integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
LOW
Integrity Impact:
LOW
Availability Impact:
LOW

Weakness Type

Unverified Password Change

When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication. This could be used by an attacker to change passwords for another user, thus gaining the privileges associated with that user.


Products Associated with CVE-2024-45647

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2024-45647 are published in these products:

IBM Security Verify Access Docker
 
IBM Security Verify Access
 

Affected Versions

IBM Security Verify Access: IBM Security Verify Access Docker:

Exploit Probability

EPSS
0.09%
Percentile
24.89%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.