CVE-2025-36005

MEDIUM

IBM MQ Operator < 2.0.29 - Improper Certificate Validation

Title source: rule

Description

IBM MQ Operator LTS 2.0.0 through 2.0.29, MQ Operator CD 3.0.0, 3.0.1, 3.1.0 through 3.1.3, 3.3.0, 3.4.0, 3.4.1, 3.5.0, 3.5.1, 3.6.0, and MQ Operator SC2 3.2.0 through 3.2.13 Internet Pass-Thru could allow a malicious user to obtain sensitive information from another TLS session connection by the proxy to the same hostname and port due to improper certificate validation.

References (1)

[Vendor Advisory] https://www.ibm.com/support/pages/node/7240431

Scores

CVSS v3 5.9

EPSS 0.0003

EPSS Percentile 8.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-295

Status published

Products (27)

ibm/mq_operator 3.3.0

ibm/mq_operator 3.4.0

ibm/mq_operator 3.4.1

ibm/mq_operator 3.5.0

ibm/mq_operator 2.0.0 - 2.0.29

ibm/mq_operator 3.2.0 - 3.2.13

ibm/mq_operator 3.5.1 - 3.6.0

ibm/supplied_mq_advanced_container_images 9.3.0.0 r1 (3 CPE variants)

ibm/supplied_mq_advanced_container_images 9.3.0.1 r1 (4 CPE variants)

ibm/supplied_mq_advanced_container_images 9.3.0.3 r1

... and 17 more

Published Jul 24, 2025

Tracked Since Feb 18, 2026