CVE-2024-27275

IBM i 7.2, 7.3, 7.4, and 7.5 contains a local privilege escalation vulnerability caused by an insufficient authority requirement. A local user without administrator privilege can configure a physical file trigger to execute with the privileges of a user socially engineered to access the target file. The correction is to require administrator privilege to configure trigger support.

CVSS v3 7.4 HIGH

7.4^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.4 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.ibm.com/support/pages/node/7157637	Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/285203	VDB Entry
https://www.ibm.com/support/pages/node/7157637	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:ibm:i:7.2:::::::*
	cpe:2.3:a:ibm:i:7.3:::::::*
	cpe:2.3:a:ibm:i:7.4:::::::*
	cpe:2.3:a:ibm:i:7.5:::::::*

History

29 Sep 2025, 15:16

Type	Values Removed	Values Added
CWE		CWE-266
Summary	(en) IBM i 7.2, 7.3, 7.4, and 7.5 contains a local privilege escalation vulnerability caused by an insufficient authority requirement. A local user without administrator privilege can configure a physical file trigger to execute with the privileges of a user socially engineered to access the target file. The correction is to require administrator privilege to configure trigger support. IBM X-Force ID: 285203.	(en) IBM i 7.2, 7.3, 7.4, and 7.5 contains a local privilege escalation vulnerability caused by an insufficient authority requirement. A local user without administrator privilege can configure a physical file trigger to execute with the privileges of a user socially engineered to access the target file. The correction is to require administrator privilege to configure trigger support.

Information

Published : 2024-06-15 14:15

Updated : 2025-09-29 15:16

NVD link : CVE-2024-27275

Mitre link : CVE-2024-27275

CVE.ORG link : CVE-2024-27275

JSON object : View

Products Affected

ibm

i

CWE

CWE-266

Incorrect Privilege Assignment

CWE-287

Improper Authentication

{"id": "CVE-2024-27275", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "psirt@us.ibm.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.4}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2024-06-15T14:15:09.443", "references": [{"url": "https://www.ibm.com/support/pages/node/7157637", "tags": ["Vendor Advisory"], "source": "psirt@us.ibm.com"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/285203", "tags": ["VDB Entry"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.ibm.com/support/pages/node/7157637", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "psirt@us.ibm.com", "description": [{"lang": "en", "value": "CWE-266"}]}, {"type": "Secondary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-287"}]}], "descriptions": [{"lang": "en", "value": "IBM i 7.2, 7.3, 7.4, and 7.5 contains a local privilege escalation vulnerability caused by an insufficient authority requirement. A local user without administrator privilege can configure a physical file trigger to execute with the privileges of a user socially engineered to access the target file. The correction is to require administrator privilege to configure trigger support."}, {"lang": "es", "value": "IBM i 7.2, 7.3, 7.4 y 7.5 contiene una vulnerabilidad de escalada de privilegios local causada por un requisito de autoridad insuficiente. Un usuario local sin privilegios de administrador puede configurar un activador de archivo f\u00edsico para ejecutarlo con los privilegios de un usuario manipulado socialmente para acceder al archivo de destino. La correcci\u00f3n consiste en requerir privilegios de administrador para configurar la compatibilidad con activadores. ID de IBM X-Force: 285203."}], "lastModified": "2025-09-29T15:16:06.107", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ibm:i:7.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5E41BD05-37B8-4494-9344-506D4BCF43C2"}, {"criteria": "cpe:2.3:a:ibm:i:7.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DD4F4919-D935-4B81-B4E8-0E0F2DAC09B1"}, {"criteria": "cpe:2.3:a:ibm:i:7.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AE2B298C-E1F6-43BD-A5EF-83964C6669CE"}, {"criteria": "cpe:2.3:a:ibm:i:7.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "88B74622-BDB2-43AE-A91F-FADEC4B64B4F"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@us.ibm.com"}