{"cve":{"cve_id":"CVE-2024-1604","is_kev":false,"kev_date_added":null,"kev_vendor_project":null,"kev_product":null,"kev_vulnerability_name":null,"kev_short_description":null,"kev_required_action":null,"kev_due_date":null,"kev_known_ransomware":null,"kev_notes":null,"kev_cwes":null,"epss_score":0.00491,"epss_percentile":0.38332,"epss_as_of":"2026-06-23","description":"Improper authorization in the report management and creation module of BMC Control-M branches 9.0.20 and 9.0.21 allows logged-in users to read and make unauthorized changes to any reports available within the application, even without proper permissions. The attacker must know the unique identifier of the report they want to manipulate.\n\n\n\n\n\n\n\nFix for 9.0.20 branch was released in version 9.0.20.238. Fix for 9.0.21 branch was released in version 9.0.21.201.","published_at":"2024-03-18T09:59:35.514000Z","last_modified_at":null,"cvss_v3_score":6.4,"cvss_v3_vector":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N","cvss_v3_severity":"MEDIUM","cvss_v4_score":null,"cvss_v4_vector":null,"cvss_v4_severity":null,"ssvc_decision":null,"ssvc_exploitation":"none","ssvc_automatable":false,"ssvc_technical_impact":"total","cwes":["CWE-639"],"nvd_references":["https://cert.pl/posts/2024/03/CVE-2024-1604","https://cert.pl/en/posts/2024/03/CVE-2024-1604","https://www.bmc.com/it-solutions/control-m.html"],"vuln_status":null,"trending_score":null,"is_trending":false,"has_trended":false,"trended_number_one":false,"trending_peak_score":null,"trending_peak_rank":null,"started_trending_at":null,"trended_number_one_at":null,"summary_generated":null,"summary_generated_at":null,"summary_model":null,"created_at":"2026-06-24T00:09:39.878444Z","updated_at":"2026-06-29T01:51:51.659402Z"},"effective_severity":"MEDIUM","badges":[],"impact_analysis":[],"cvss_v3_decoded":{"version":"3.1","metrics":[{"metric":"AV","name":"Attack Vector","value":"N","value_label":"Network"},{"metric":"AC","name":"Attack Complexity","value":"H","value_label":"High"},{"metric":"PR","name":"Privileges Required","value":"L","value_label":"Low"},{"metric":"UI","name":"User Interaction","value":"R","value_label":"Required"},{"metric":"S","name":"Scope","value":"U","value_label":"Unchanged"},{"metric":"C","name":"Confidentiality","value":"H","value_label":"High"},{"metric":"I","name":"Integrity","value":"H","value_label":"High"},{"metric":"A","name":"Availability","value":"N","value_label":"None"}]},"cvss_v4_decoded":{"version":null,"metrics":[]},"affected":[{"vendor_slug":"bmc","vendor_name":"BMC","product_slug":"control-m","product_name":"Control-M","version_start":"9.0.20","version_start_inclusive":true,"version_end":"9.0.20.238","version_end_inclusive":false,"cpe23_uri":"cve5:bmc:control-m:9.0.20:9.0.20.238"},{"vendor_slug":"bmc","vendor_name":"BMC","product_slug":"control-m","product_name":"Control-M","version_start":"9.0.21","version_start_inclusive":true,"version_end":"9.0.21.201","version_end_inclusive":false,"cpe23_uri":"cve5:bmc:control-m:9.0.21:9.0.21.201"}],"exploit_refs":[],"news":[],"references":[{"url":"https://cert.pl/posts/2024/03/CVE-2024-1604","source_type":"MISC","tags":[]},{"url":"https://cert.pl/en/posts/2024/03/CVE-2024-1604","source_type":"MISC","tags":[]},{"url":"https://www.bmc.com/it-solutions/control-m.html","source_type":"MISC","tags":[]}],"timeline":[{"type":"published","at":"2024-03-18T09:59:35.514000Z","label":"CVE published","source":null},{"type":"cvss_changed","at":"2026-06-28T17:32:56.911083Z","label":"CVSS score revised","source":"cvelistv5"},{"type":"cvss_changed","at":"2026-06-28T17:32:56.911083Z","label":"CVSS score revised","source":"cvelistv5"},{"type":"cvss_changed","at":"2026-06-28T17:32:56.911083Z","label":"CVSS score revised","source":"cvelistv5"},{"type":"ssvc_changed","at":"2026-06-29T01:51:51.659402Z","label":"SSVC decision revised","source":"vulnrichment"},{"type":"ssvc_changed","at":"2026-06-29T01:51:51.659402Z","label":"SSVC decision revised","source":"vulnrichment"},{"type":"ssvc_changed","at":"2026-06-29T01:51:51.659402Z","label":"SSVC decision revised","source":"vulnrichment"}]}