CVE-2024-27275

Name of the Vulnerable Software and Affected Versions IBM i versions 7.2 through 7.5

Description The issue is related to insufficient authority requirements, allowing a local user without administrator privileges to configure a physical file trigger. This can lead to the execution of the trigger with the privileges of a user who has been socially engineered to access the target file. The problem is caused by a lack of proper access control.

Recommendations For IBM i versions 7.2 through 7.5, the correction is to require administrator privilege to configure trigger support. Additionally, applying the provided fix, which restricts the use of the ADDPFTRG command, can mitigate the issue. This fix is a breaking change and is documented in the Memo to Users.