Planning Analytics Workspace
CVE-2024-35143
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
1DescriptionNVD
IBM Planning Analytics Local 2.0 and 2.1 connects to a MongoDB server. MongoDB, a document-oriented database system, is listening on the remote port, and it is configured to allow connections without password authentication. A remote attacker can gain unauthorized access to the database. IBM X-Force ID: 292420.
AnalysisAI
IBM Planning Analytics Local 2.0 and 2.1 connects to a MongoDB server. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Missing Authentication for Critical Function (CWE-306), which allows attackers to access critical functionality without authentication. IBM Planning Analytics Local 2.0 and 2.1 connects to a MongoDB server. MongoDB, a document-oriented database system, is listening on the remote port, and it is configured to allow connections without password authentication. A remote attacker can gain unauthorized access to the database. IBM X-Force ID: 292420. Affected products include: Ibm Planning Analytics Workspace, Ibm Planning Analytics Local.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Require authentication for all sensitive operations, implement defense in depth.
More in Planning Analytics Workspace
View allIBM Planning Analytics Local 2.0 could allow an attacker to upload arbitrary executable files which, when executed by an
IBM Planning Analytics Local 2.0 allows web pages to be stored locally which can be read by another user on the system.
IBM Planning Analytics Local 2.1.0 through 2.1.14 could allow a remote authenticated user to traverse directories on the
IBM Planning Analytics Local 2.1.0 through 2.1.14 stores sensitive information in source code could be used in further a
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today