CVE-2024-22341

Medium

Published: 22 February 2025

Published

22 February 2025

Modified

29 September 2025

KEV Added

—

Patch

—

CVSS Score 5.3 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0003 8.0th percentile

Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-22341 is a medium-severity External Control of File Name or Path (CWE-73) vulnerability in Ibm Watson Query With Cloud Pak For Data. Its CVSS base score is 5.3 (Medium).

Operationally, ranked at the 8.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-6 Least Privilege good match

prevent

Directly counters improper privilege management by restricting access to remote data source objects to only the privileges necessary for authorized operations.

AC-3 Access Enforcement good match

prevent

Ensures the system enforces approved access authorizations, preventing low-privileged remote attackers from unauthorized data access via flawed privilege checks.

AC-2 Account Management good match

prevent

Provides proper management of accounts, privileges, and roles to avoid misconfigurations that enable unauthorized access to remote data sources.

NVD Description

IBM Watson Query on Cloud Pak for Data 4.0.0 through 4.0.9, 4.5.0 through 4.5.3, 4.6.0 through 4.6.6, 4.7.0 through 4.7.4, and 4.8.0 through 4.8.7 could allow unauthorized data access from a remote data source object due to improper privilege management.

Deeper analysisAI

CVE-2024-22341 is a vulnerability in IBM Watson Query on Cloud Pak for Data, affecting versions 4.0.0 through 4.0.9, 4.5.0 through 4.5.3, 4.6.0 through 4.6.6, 4.7.0 through 4.7.4, and 4.8.0 through 4.8.7. It arises from improper privilege management, which could allow unauthorized data access from a remote data source object. The issue is rated with a CVSS v3.1 base score of 5.3 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N) and is associated with CWE-73 and NVD-CWE-Other.

A remote attacker with low privileges can exploit this vulnerability over the network, though it requires high attack complexity. Successful exploitation enables high-impact unauthorized access to confidential data from remote data sources, without impacting integrity or availability.

IBM's security advisory provides details on mitigation and patches; see https://www.ibm.com/support/pages/node/7183851.

Details

CWE(s): CWE-73 NVD-CWE-Other

Affected Products

ibm

watson query with cloud pak for data

4.0 — 4.0.9 · 4.5 — 4.5.3 · 4.6 — 4.6.6

CVEs Like This One

CVE-2024-56340Same vendor: Ibm

CVE-2024-43187Same vendor: Ibm

CVE-2025-0162Same vendor: Ibm

CVE-2024-28766Same vendor: Ibm

CVE-2025-14480Same vendor: Ibm

CVE-2024-25034Same vendor: Ibm

CVE-2024-39750Same vendor: Ibm

CVE-2024-49352Same vendor: Ibm

CVE-2025-3320Same vendor: Ibm

CVE-2025-36376Same vendor: Ibm

References

https://www.ibm.com/support/pages/node/7183851
Vendor Advisory · psirt@us.ibm.com