CVE-2025-36100
BaseFortify
Publication date: 2025-09-07
Last updated on: 2025-12-19
Assigner: IBM Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ibm | mq | From 9.1.0.0 (inc) to 9.1.0.31 (exc) |
| ibm | mq | From 9.2.0.0 (inc) to 9.2.0.37 (exc) |
| ibm | mq | From 9.3.0.0 (inc) to 9.3.0.31 (exc) |
| ibm | mq | From 9.3.0.0 (inc) to 9.3.5.1 (inc) |
| ibm | mq | From 9.4.0.0 (inc) to 9.4.0.15 (exc) |
| ibm | mq | From 9.4.0.0 (inc) to 9.4.3.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-260 | The product stores a password in a configuration file that might be accessible to actors who do not know the password. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in IBM MQ Java and JMS components causes passwords to be stored in plaintext within client configuration files when tracing is enabled. This allows a local user to read these passwords, potentially exposing sensitive credentials. [1]
How can this vulnerability impact me? :
The vulnerability can lead to local password disclosure, allowing unauthorized local users to access sensitive credentials stored in configuration files. This could compromise system availability and security, as attackers might use the disclosed passwords to disrupt services or gain further access. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should promptly apply the specific cumulative security updates or fix packs for your IBM MQ version as follows: update IBM MQ 9.1 LTS to 9.1.0.31, IBM MQ 9.2 LTS to 9.2.0.37, IBM MQ 9.3 LTS to 9.3.0.31, IBM MQ 9.4 LTS to 9.4.0.15, and upgrade IBM MQ 9.3 CD and 9.4 CD to version 9.4.3.1. No workarounds or alternative mitigations are provided, so applying these updates is essential to prevent local password disclosure risks. [1]