%20(1).webp?w=1600&resize=1600,900&ssl=1)
IBM has issued a security bulletin highlighting two critical vulnerabilities in its Cognos Analytics platform.
These vulnerabilities, identified as CVE-2023-42017 and CVE-2024-51466, pose significant risks, including unauthorized file uploads and sensitive information exposure.
Users are urged to update their systems promptly to mitigate potential threats.
Details of the Vulnerabilities
- Malicious File Upload (CVE-2023-42017)
This vulnerability arises from improper validation of file content uploaded through the web interface. A privileged user can exploit this flaw to upload malicious executable files, which could then be used for further attacks. - The vulnerability is categorized under CWE-434 (Unrestricted Upload of File with Dangerous Type) and has a CVSS base score of 8.0, indicating high severity.
- Expression Language (EL) Injection (CVE-2024-51466)
The EL Injection vulnerability allows remote attackers to exploit improperly neutralized special elements in EL statements. - This could lead to sensitive data exposure, resource exhaustion, or server crashes. Classified under CWE-917 (Improper Neutralization of Special Elements in EL Statements), it carries a critical CVSS base score of 9.0. Attackers can exploit this without user interaction or prior authentication.
Affected Products and Versions
The vulnerabilities impact the following versions of IBM Cognos Analytics:
| Product | Versions Affected |
|---|---|
| IBM Cognos Analytics | 12.0.0 – 12.0.4 |
| IBM Cognos Analytics | 11.2.0 – 11.2.4 FP4 |
Remediation and Recommendations
IBM strongly advises users to upgrade to the latest versions to address these vulnerabilities:
| Product | Version(s) | Fix Version |
|---|---|---|
| IBM Cognos Analytics | 12.0.0 – 12.0.4 | 12.0.4 Interim Fix 1 |
| IBM Cognos Analytics | 11.2.0 – 11.2.4 FP4 | 11.2.4 FP5 |
No workarounds or mitigations are available for these issues; upgrading is the only solution.
These vulnerabilities highlight the importance of maintaining updated software systems to prevent exploitation by attackers.
Organizations using IBM Cognos Analytics should prioritize applying the recommended fixes immediately to safeguard their environments against potential breaches or service disruptions.
For future updates on security bulletins, users are encouraged to subscribe to IBM’s notification services for timely alerts on critical vulnerabilities and fixes.
Also Read:
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Node.js systeminformation Vulnerability Let Attackers Execute Remote Code")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "15 million Fine Imposed by Italt to Open AI For Violating GDPR")
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=IBM%20has%20issued%20a%20security%20bulletin%20highlighting%20two%20critical%20vulnerabilities%20in%20its%20Cognos%20Analytics%20platform.){kind=link}