CVE-2024-47106

Medium

Published: 18 January 2025

Published

18 January 2025

Modified

08 August 2025

KEV Added

—

Patch

—

CVSS Score 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS Score 0.0010 27.6th percentile

Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-47106 is a medium-severity Files or Directories Accessible to External Parties (CWE-552) vulnerability in Ibm Jazz For Service Management. Its CVSS base score is 5.3 (Medium).

Operationally, ranked at the 27.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Directly addresses permitting actions without identification or authentication by ensuring no sensitive information is accessible, mitigating the improper access restrictions exploited by remote unauthenticated attackers.

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for logical access to information and resources, directly countering the improper access restrictions that allow sensitive information disclosure.

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and correction of system flaws like this improper access restriction vulnerability, preventing exploitation through patching.

NVD Description

IBM Jazz for Service Management 1.1.3 through 1.1.3.22 could allow a remote attacker to obtain sensitive information from improper access restrictions that could aid in further attacks against the system.

Deeper analysisAI

CVE-2024-47106 affects IBM Jazz for Service Management in versions 1.1.3 through 1.1.3.22. The vulnerability arises from improper access restrictions (CWE-552), enabling a remote attacker to obtain sensitive information that could aid in further attacks against the system. It has a CVSS v3.1 base score of 5.3, rated as medium severity with vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating network accessibility, low attack complexity, no privileges or user interaction required, unchanged scope, low confidentiality impact, and no integrity or availability impact.

A remote, unauthenticated attacker can exploit this vulnerability over the network with minimal effort. Exploitation allows disclosure of sensitive information, providing reconnaissance data that could facilitate subsequent attacks on the system.

IBM's security advisory provides details on the vulnerability and mitigation, available at https://www.ibm.com/support/pages/node/7178507. Security practitioners should review this page for patching guidance and any recommended workarounds.

Details

CWE(s): CWE-552

Affected Products

ibm

jazz for service management

1.1.3 — 1.1.3.22

CVEs Like This One

CVE-2024-56340Same vendor: Ibm

CVE-2024-43187Same vendor: Ibm

CVE-2025-0162Same vendor: Ibm

CVE-2024-28766Same vendor: Ibm

CVE-2025-14480Same vendor: Ibm

CVE-2024-25034Same vendor: Ibm

CVE-2024-39750Same vendor: Ibm

CVE-2024-49352Same vendor: Ibm

CVE-2025-3320Same vendor: Ibm

CVE-2025-13689Same vendor: Ibm

References

https://www.ibm.com/support/pages/node/7178507
Vendor Advisory · psirt@us.ibm.com