CVE-2024-28765

Vulnerability

IBM Security Directory Integrator (SDI) version 7.2.0.0 through 7.2.0.14 and IBM Security Directory Integrator version 10.0.0.0 through 10.0.0.2 expose a vulnerability in which detailed technical error messages are returned to the browser, potentially revealing sensitive information about the system [1].

Exploitation

An unauthenticated remote attacker can trigger an error that causes the application to return a verbose technical message. The necessary condition is a publicly reachable endpoint of the affected product; no prior authentication or user interaction is required [1].

Impact

Successful exploitation results in the disclosure of sensitive information from the error output. This information could be used by the attacker to craft further attacks against the system. The CVSS v3 base score is 5.3 (Medium), with a vector of (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), indicating low confidentiality impact and no impact on integrity or availability [1].

Mitigation

IBM has issued a security bulletin advising customers to update their systems. The affected versions are SDI 7.2.0.0-7.2.0.14 and IBM Security Directory Integrator 10.0.0.0-10.0.0.2. The vendor strongly encourages prompt patching; however, the reference does not provide a specific fixed version number or release date. No workarounds or mitigations are available [1].