IBM Common Cryptographic Architecture (CCA) 7.5.52 and 8.4.82 could allow an unauthenticated user to execute arbitrary commands with elevated privileges on the system.
The vulnerability results from improper privilege assignment during operations in the IBM CCA library (CWE-250 — Execution with Unnecessary Privileges). An unauthenticated network user can invoke library operations in a manner that results in the execution of arbitrary system commands with elevated privilege level. The attack requires no user interaction or special preconditions, which significantly lowers the threshold for its execution.
An attacker can take full control of the system running the vulnerable IBM CCA library, gaining the ability to read, modify, or delete data, including potentially cryptographic keys managed by the library.
Security patches available from the vendor should be applied in accordance with the references — detailed information about patched versions is available at: https://www.ibm.com/support/pages/node/7259625
IBM Common Cryptographic Architecture (CCA) in versions 7.5.52 and 8.4.82.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H