Login Sign Up

CVE-2024-25052

4.4 MEDIUM

📋 TL;DR

IBM Jazz Reporting Service 7.0.3 stores user credentials in plain text, allowing administrative users to read sensitive authentication data. This vulnerability affects organizations using IBM Jazz Reporting Service 7.0.3 where admin users could potentially access other users' credentials.

💻 Affected Systems

Products:
  • IBM Jazz Reporting Service
Versions: 7.0.3
Operating Systems: All supported platforms
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects IBM Jazz Reporting Service 7.0.3; requires admin access to exploit.

📦 What is this software?

Jazz Reporting Service by Ibm

View all CVEs affecting Jazz Reporting Service →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Admin user with malicious intent could harvest all user credentials, leading to complete account compromise, lateral movement, and potential data exfiltration.

🟠

Likely Case

Accidental exposure of credentials to authorized admins during routine maintenance or troubleshooting, potentially violating privacy policies.

🟢

If Mitigated

Limited to authorized administrative users only, with proper access controls and monitoring preventing credential misuse.

🌐 Internet-Facing: MEDIUM - If the service is internet-facing, credential exposure could lead to broader compromise if admin accounts are breached.
🏢 Internal Only: MEDIUM - Internal admin users could still misuse credentials for lateral movement within the network.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW - Requires admin access to read stored credentials.

Exploitation requires administrative privileges within the Jazz Reporting Service.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply fix from IBM Security Bulletin

Vendor Advisory: https://www.ibm.com/support/pages/node/7157232

Restart Required: Yes

Instructions:

1. Review IBM Security Bulletin. 2. Apply the recommended fix or upgrade. 3. Restart the Jazz Reporting Service. 4. Verify credentials are no longer stored in plain text.

🔧 Temporary Workarounds

Restrict Admin Access

all

Limit administrative access to only trusted personnel and implement strict access controls.

Credential Rotation

all

Force password rotation for all users after applying the fix to mitigate exposed credentials.

🧯 If You Can't Patch

  • Implement strict monitoring and logging of admin access to credential storage areas.
  • Enforce least privilege access and segregate admin duties to limit potential misuse.

🔍 How to Verify

Check if Vulnerable:

Check if using IBM Jazz Reporting Service 7.0.3 and review configuration for plain text credential storage.

Check Version:

Check Jazz Reporting Service version through administrative interface or configuration files.

Verify Fix Applied:

After applying fix, verify credentials are encrypted or hashed in storage and cannot be read as plain text.

📡 Detection & Monitoring

Log Indicators:

  • Unusual admin access patterns to credential storage
  • Multiple failed login attempts following admin access

Network Indicators:

  • Unexpected outbound connections from Jazz Reporting Service

SIEM Query:

Search for admin user accessing credential storage files or unusual authentication patterns.

📊 Metadata

CVE ID: CVE-2024-25052
CVSS v3 Score: 4.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-256
Published: June 13, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-25052, you might also want to check these:

CVE-2024-23486 9.8

This vulnerability allows unauthenticated attackers on the same network to obtain router credentials...

Same vulnerability type (CWE-256)
CVE-2025-5893 9.8

Smart Parking Management System from Honding Technology exposes plaintext administrator credentials ...

Same vulnerability type (CWE-256)
CVE-2025-6561 9.8

Hunt Electronic HBF-09KD and HBF-16NK hybrid DVR models expose a system configuration file containin...

Same vulnerability type (CWE-256)