CVE-2024-45647
Published: 20 January 2025
Summary
CVE-2024-45647 is a medium-severity Unverified Password Change (CWE-620) vulnerability in Ibm Security Verify Access. Its CVSS base score is 5.6 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Account Manipulation (T1098); ranked at the 30.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and IA-5 (Authenticator Management).
Deeper analysis
CVE-2024-45647 is a vulnerability in IBM Security Verify Access versions 10.0.0 through 10.0.8, including the Docker edition (versions 10.0.0 through 10.0.8), that enables an unverified user to change the password of an expired user account without prior knowledge of that password. Published on 2025-01-20, the issue carries a CVSS v3.1 base score of 5.6 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L) and maps to CWE-620 (Unverified Password Change) as well as NVD-CWE-Other.
An unauthenticated attacker (PR:N) with network access (AV:N) can exploit this flaw, though it demands high attack complexity (AC:H) and involves no user interaction (UI:N). Exploitation allows the attacker to reset the password of an expired user, resulting in low impacts to confidentiality, integrity, and availability (C:L/I:L/A:L) within the unchanged security scope (S:U).
IBM provides details on the vulnerability, affected versions, and remediation steps in its security advisory at https://www.ibm.com/support/pages/node/7176212.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-41745
Vulnerability details
IBM Security Verify Access 10.0.0 through 10.0.8 and IBM Security Verify Access Docker 10.0.0 through 10.0.8 could allow could an unverified user to change the password of an expired user without prior knowledge of that password.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vuln enables unauthenticated password reset on existing accounts (maps to Account Manipulation) and is exploitable remotely against a public-facing IAM app (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
IA-5 mandates verification of identity prior to changing authenticators like passwords, directly preventing unverified password resets for expired user accounts.
AC-2 requires procedures to disable, monitor, and control modifications to expired or inactive accounts, mitigating unauthorized password changes.
AC-3 enforces approved authorizations for access to password change functions, addressing the lack of enforcement allowing unauthenticated resets.