CVE-2024-45647: 
IBM Security Verify Access (formerly ISAM) vulnerability analysis and mitigation

CVE-2024-45647 affects IBM Security Verify Access and IBM Security Verify Access Docker versions 10.0.0 through 10.0.8. The vulnerability allows an unverified user to change the password of an expired user without prior knowledge of that password. This security issue was discovered and disclosed on January 20, 2025 (NVD, IBM Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) by NIST with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, while IBM's assessment rates it at 5.6 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L. The vulnerability is classified under CWE-620: Unverified Password Change (NVD).

The vulnerability allows unauthorized access to user accounts by bypassing password verification mechanisms. This could lead to account takeover of expired user accounts, potentially compromising system security and user data confidentiality (IBM Advisory).

The issue only affects systems using IBM Security Directory Server. A temporary mitigation involves setting the environment variable IDSNEWPASSWORDPOLICY=YES on the backend server, either via command line or in the ibmslapd.conf file. Additionally, adding the line 'ibm-slapdSetenv: IDSNEWPASSWORDPOLICY=YES' to the cn=Front End entry can help mitigate the vulnerability. No permanent fixes are available at this time (IBM Advisory).