CVE-2024-35137: 
IBM Security Access Manager (ISAM) vulnerability analysis and mitigation

IBM Security Access Manager Docker versions 10.0.0.0 through 10.0.7.1 contains a security vulnerability that could allow a local user to potentially elevate their privileges due to exposed sensitive configuration information. The vulnerability was discovered and disclosed on June 28, 2024, and is tracked as CVE-2024-35137 (NVD, CVE).

The vulnerability has been assigned a CVSS v3.1 Base Score of 6.2 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. This indicates that the vulnerability requires local access, has low attack complexity, requires no privileges, needs no user interaction, has unchanged scope, and can result in high confidentiality impact but no integrity or availability impact. The vulnerability is associated with CWE-521 (Weak Password Requirements) and CWE-258 (Empty Password in Configuration File) (NVD).

The vulnerability could allow a local user to potentially elevate their privileges by accessing exposed sensitive configuration information. This could lead to unauthorized access to system resources and potential compromise of system security (IBM Advisory).

IBM has released version 10.0.8.0 to address this vulnerability. Users are encouraged to update their systems promptly. For Docker Container installations, users should obtain the latest version by running the command 'docker pull icr.io/isva/verify-access:[tag]' where [tag] is the latest published version (IBM Advisory).