Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for turbonomic_prometurbo_agent by ibm

    CVE-2026-6389 (GCVE-0-2026-6389)

    Vulnerability from nvd – Published: 2026-04-30 21:17 – Updated: 2026-05-01 16:37
    VLAI
    Title
    IBM Turbonomic Prometurbo agent used by IBM Turbonomic Application Resource Management is affected by a single vulnerability
    Summary
    IBM Turbonomic prometurbo agent 8.16.0 through 8.17.6 IBM Turbonomic Application Resource Management grants excessive cluster‑wide permissions, including unrestricted read access to all secrets. An attacker that compromises the operator or its service account can exfiltrate sensitive credentials, escalate privileges, and potentially achieve full cluster compromise.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-269 - Improper Privilege Management
    Assigner
    ibm
    References
    URL Tags
    https://www.ibm.com/support/pages/node/7270720 vendor-advisorypatch
    Impacted products
    Vendor Product Version
    IBM Turbonomic prometurbo agent Affected: 8.16.0 , ≤ 8.17.6 (semver)
        cpe:2.3:a:ibm:turbonomic_prometurbo_agent:8.16.0:*:*:*:*:*:*:*
        cpe:2.3:a:ibm:turbonomic_prometurbo_agent:8.17.6:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    This vulnerability was reported to IBM by Lior Yakim.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6389",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-01T16:07:22.169751Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-01T16:37:57.048Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:ibm:turbonomic_prometurbo_agent:8.16.0:*:*:*:*:*:*:*",
                "cpe:2.3:a:ibm:turbonomic_prometurbo_agent:8.17.6:*:*:*:*:*:*:*"
              ],
              "product": "Turbonomic prometurbo agent",
              "vendor": "IBM",
              "versions": [
                {
                  "lessThanOrEqual": "8.17.6",
                  "status": "affected",
                  "version": "8.16.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "This vulnerability was reported to IBM by Lior Yakim."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eIBM Turbonomic prometurbo agent 8.16.0 through 8.17.6 IBM Turbonomic Application Resource Management grants excessive cluster\u2011wide permissions, including unrestricted read access to all secrets. An attacker that compromises the operator or its service account can exfiltrate sensitive credentials, escalate privileges, and potentially achieve full cluster compromise.\u003c/p\u003e"
                }
              ],
              "value": "IBM Turbonomic prometurbo agent 8.16.0 through 8.17.6 IBM Turbonomic Application Resource Management grants excessive cluster\u2011wide permissions, including unrestricted read access to all secrets. An attacker that compromises the operator or its service account can exfiltrate sensitive credentials, escalate privileges, and potentially achieve full cluster compromise."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-269",
                  "description": "CWE-269 Improper Privilege Management",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-30T21:17:06.371Z",
            "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
            "shortName": "ibm"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "patch"
              ],
              "url": "https://www.ibm.com/support/pages/node/7270720"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003e\u003cstrong\u003eIBM strongly recommends addressing the vulnerability now by re-installing a version of prometurbo with the required fixes.\u003c/strong\u003e\u003c/p\u003e\u003cdiv\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eProduct(s)\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eVersion(s) number and/or range\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eRemediation/Fix/Instructions\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Turbonomic prometurbo agent\u003c/td\u003e\u003ctd\u003e8.18.0\u003c/td\u003e\u003ctd\u003e\u003cp\u003eFollow the \u003ca href=\"https://www.ibm.com/docs/en/tarm/8.19.4?topic=configuration-prometheus\" rel=\"nofollow\"\u003einstallation instructions\u003c/a\u003e from the IBM Turbonomic documentation\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003c/div\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e"
                }
              ],
              "value": "IBM strongly recommends addressing the vulnerability now by re-installing a version of prometurbo with the required fixes.\n\nProduct(s)Version(s) number and/or range\u00a0Remediation/Fix/InstructionsIBM Turbonomic prometurbo agent8.18.0\n\nFollow the  installation instructions https://www.ibm.com/docs/en/tarm/8.19.4  from the IBM Turbonomic documentation"
            }
          ],
          "title": "IBM Turbonomic Prometurbo agent used by IBM Turbonomic Application Resource Management is affected by a single vulnerability",
          "x_generator": {
            "engine": "ibm-cvegen"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "assignerShortName": "ibm",
        "cveId": "CVE-2026-6389",
        "datePublished": "2026-04-30T21:17:06.371Z",
        "dateReserved": "2026-04-15T19:41:36.801Z",
        "dateUpdated": "2026-05-01T16:37:57.048Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-6389 (GCVE-0-2026-6389)

    Vulnerability from cvelistv5 – Published: 2026-04-30 21:17 – Updated: 2026-05-01 16:37
    VLAI
    Title
    IBM Turbonomic Prometurbo agent used by IBM Turbonomic Application Resource Management is affected by a single vulnerability
    Summary
    IBM Turbonomic prometurbo agent 8.16.0 through 8.17.6 IBM Turbonomic Application Resource Management grants excessive cluster‑wide permissions, including unrestricted read access to all secrets. An attacker that compromises the operator or its service account can exfiltrate sensitive credentials, escalate privileges, and potentially achieve full cluster compromise.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-269 - Improper Privilege Management
    Assigner
    ibm
    References
    URL Tags
    https://www.ibm.com/support/pages/node/7270720 vendor-advisorypatch
    Impacted products
    Vendor Product Version
    IBM Turbonomic prometurbo agent Affected: 8.16.0 , ≤ 8.17.6 (semver)
        cpe:2.3:a:ibm:turbonomic_prometurbo_agent:8.16.0:*:*:*:*:*:*:*
        cpe:2.3:a:ibm:turbonomic_prometurbo_agent:8.17.6:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    This vulnerability was reported to IBM by Lior Yakim.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6389",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-01T16:07:22.169751Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-01T16:37:57.048Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:ibm:turbonomic_prometurbo_agent:8.16.0:*:*:*:*:*:*:*",
                "cpe:2.3:a:ibm:turbonomic_prometurbo_agent:8.17.6:*:*:*:*:*:*:*"
              ],
              "product": "Turbonomic prometurbo agent",
              "vendor": "IBM",
              "versions": [
                {
                  "lessThanOrEqual": "8.17.6",
                  "status": "affected",
                  "version": "8.16.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "This vulnerability was reported to IBM by Lior Yakim."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eIBM Turbonomic prometurbo agent 8.16.0 through 8.17.6 IBM Turbonomic Application Resource Management grants excessive cluster\u2011wide permissions, including unrestricted read access to all secrets. An attacker that compromises the operator or its service account can exfiltrate sensitive credentials, escalate privileges, and potentially achieve full cluster compromise.\u003c/p\u003e"
                }
              ],
              "value": "IBM Turbonomic prometurbo agent 8.16.0 through 8.17.6 IBM Turbonomic Application Resource Management grants excessive cluster\u2011wide permissions, including unrestricted read access to all secrets. An attacker that compromises the operator or its service account can exfiltrate sensitive credentials, escalate privileges, and potentially achieve full cluster compromise."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-269",
                  "description": "CWE-269 Improper Privilege Management",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-30T21:17:06.371Z",
            "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
            "shortName": "ibm"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "patch"
              ],
              "url": "https://www.ibm.com/support/pages/node/7270720"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003e\u003cstrong\u003eIBM strongly recommends addressing the vulnerability now by re-installing a version of prometurbo with the required fixes.\u003c/strong\u003e\u003c/p\u003e\u003cdiv\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eProduct(s)\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eVersion(s) number and/or range\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eRemediation/Fix/Instructions\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Turbonomic prometurbo agent\u003c/td\u003e\u003ctd\u003e8.18.0\u003c/td\u003e\u003ctd\u003e\u003cp\u003eFollow the \u003ca href=\"https://www.ibm.com/docs/en/tarm/8.19.4?topic=configuration-prometheus\" rel=\"nofollow\"\u003einstallation instructions\u003c/a\u003e from the IBM Turbonomic documentation\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003c/div\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e"
                }
              ],
              "value": "IBM strongly recommends addressing the vulnerability now by re-installing a version of prometurbo with the required fixes.\n\nProduct(s)Version(s) number and/or range\u00a0Remediation/Fix/InstructionsIBM Turbonomic prometurbo agent8.18.0\n\nFollow the  installation instructions https://www.ibm.com/docs/en/tarm/8.19.4  from the IBM Turbonomic documentation"
            }
          ],
          "title": "IBM Turbonomic Prometurbo agent used by IBM Turbonomic Application Resource Management is affected by a single vulnerability",
          "x_generator": {
            "engine": "ibm-cvegen"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "assignerShortName": "ibm",
        "cveId": "CVE-2026-6389",
        "datePublished": "2026-04-30T21:17:06.371Z",
        "dateReserved": "2026-04-15T19:41:36.801Z",
        "dateUpdated": "2026-05-01T16:37:57.048Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }