CVE-2024-31912: 
IBM WebSphere MQ vulnerability analysis and mitigation

IBM MQ 9.3 LTS and 9.3 CD contains a privilege escalation vulnerability (CVE-2024-31912) that was discovered and disclosed on June 28, 2024. The vulnerability affects the server component of IBM MQ installations and could allow authenticated users to escalate their privileges under certain configurations (IBM Advisory).

The vulnerability stems from incorrect privilege assignment in IBM MQ systems. It has been assigned a CVSS v3.1 base score of 8.8 (HIGH) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and requiring low privileges. IBM's own assessment rates it slightly lower at 7.5 (HIGH) with vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H, primarily differing in the attack complexity assessment (NVD).

If exploited, this vulnerability could lead to complete compromise of system confidentiality, integrity, and availability within the affected IBM MQ installations. The high CVSS scores indicate severe potential impacts, particularly concerning given the critical nature of IBM MQ in enterprise messaging infrastructure (NVD).

IBM has released fixes for the affected versions. For IBM MQ 9.3 LTS, users should apply Fix Pack 9.3.0.20 (APAR IT45607). For IBM MQ 9.3 CD users, the recommended action is to upgrade to IBM MQ version 9.4. No alternative workarounds or mitigations are currently available (IBM Advisory).