CVE-2024-1604

EUVD-2024-17344

18.03.2024, 10:15

Improper authorization in the report management and creation module of BMC Control-M branches 9.0.20 and 9.0.21 allows logged-in users to read and make unauthorized changes to any reports available within the application, even without proper permissions. The attacker must know the unique identifier of the report they want to manipulate.







Fix for 9.0.20 branch was released in version 9.0.20.238. Fix for 9.0.21 branch was released in version 9.0.21.201.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.4 MEDIUM	NETWORK	HIGH	LOW	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 20%

Affected Products (NVD)

Vendor	Product	Version
bmc	control-m	9.0.20 ≤ 𝑥 < 9.0.20.238
bmc	control-m	9.0.21 ≤ 𝑥 < 9.0.21.201

𝑥

= Vulnerable software versions

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
bmc	control-m	9.0.20 ≤ 𝑥 < 9.0.20.238	ADP
bmc	control-m	9.0.21 ≤ 𝑥 < 9.0.21.201	ADP

Common Weakness Enumeration

CWE-639 - Authorization Bypass Through User-Controlled Key
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References

https://cert.pl/en/posts/2024/03/CVE-2024-1604

https://cert.pl/posts/2024/03/CVE-2024-1604

https://www.bmc.com/it-solutions/control-m.html

https://cert.pl/en/posts/2024/03/CVE-2024-1604

https://cert.pl/posts/2024/03/CVE-2024-1604

https://www.bmc.com/it-solutions/control-m.html