CVE-2024-28766
Published: 27 January 2025
Summary
CVE-2024-28766 is a low-severity Exposure of Information Through Directory Listing (CWE-548) vulnerability in Ibm Security Directory Integrator. Its CVSS base score is 2.4 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 26.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AU-13 (Monitoring for Information Disclosure) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-28766 affects IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0, where the software could disclose sensitive information about directory contents. This information exposure vulnerability, mapped to CWE-548, carries a CVSS v3.1 base score of 2.4 (AV:A/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N) and was published on 2025-01-27.
Attackers with high privileges (PR:H) on an adjacent network (AV:A) can exploit this with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation enables low-impact confidentiality disclosure (C:L) of directory contents, which could aid in further attacks against the system, without affecting integrity or availability.
IBM provides details on the vulnerability and mitigation in its security advisory at https://www.ibm.com/support/pages/node/7161444.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-25852
Vulnerability details
IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0 could disclose sensitive information about directory contents that could aid in further attacks against the system.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability directly enables unauthorized disclosure of sensitive directory contents from the local system (information exposure per CWE-548), mapping to data collection from the compromised host.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the software flaw in IBM Security Directory Integrator that causes disclosure of sensitive directory contents information.
Specifically monitors the system for unauthorized disclosure of sensitive information such as directory contents leaked by this CVE.
Enforces least privilege to restrict high-privilege (PR:H) access required to exploit the directory contents disclosure on adjacent networks.