Skip to main content

Cognos Analytics CVE-2024-40703

MEDIUM
Insufficiently Protected Credentials (CWE-522)
2024-09-22 psirt@us.ibm.com
5.5
CVSS 3.1 · Vendor: us
Share

Severity by source

Vendor (us) PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from Vendor (us) · only source for this CVE.

CVSS VectorVendor: us

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Sep 22, 2024 - 13:15 cve.org
MEDIUM 5.5

DescriptionCVE.org

IBM Cognos Analytics 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 12.0.0, 12.0.1, 12.0.2, 12.0.3, and IBM Cognos Analytics Reports for iOS 11.0.0.7 could allow a local attacker to obtain sensitive information in the form of an API key. An attacker could use this information to launch further attacks against affected applications.

AnalysisAI

IBM Cognos Analytics 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 12.0.0, 12.0.1, 12.0.2, 12.0.3, and IBM Cognos Analytics Reports for iOS 11.0.0.7 could allow a local attacker to obtain sensitive. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. This Insufficiently Protected Credentials vulnerability could allow attackers to obtain user credentials due to weak protection mechanisms.

Technical ContextAI

This vulnerability is classified as Insufficiently Protected Credentials (CWE-522), which allows attackers to obtain user credentials due to weak protection mechanisms. IBM Cognos Analytics 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 12.0.0, 12.0.1, 12.0.2, 12.0.3, and IBM Cognos Analytics Reports for iOS 11.0.0.7 could allow a local attacker to obtain sensitive information in the form of an API key. An attacker could use this information to launch further attacks against affected applications. Affected products include: Ibm Cognos Analytics, Ibm Cognos Analytics Reports.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Hash passwords with strong algorithms (bcrypt, argon2), encrypt credentials in transit and at rest, never log credentials.

CVE-2022-38708 CRITICAL
9.1 Dec 19

IBM Cognos Analytics 11.1.7 11.2.0, and 11.2.1 could be vulnerable to a Server-Side Request Forgery Attack (SSRF) attack

CVE-2020-4377 CRITICAL
9.1 Aug 03

IBM Cognos Anaytics 11.0 and 11.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML dat

CVE-2019-4178 CRITICAL
9.1 Apr 15

IBM Cognos Analytics 11 could allow a remote attacker to traverse directories on the system. Rated critical severity (CV

CVE-2024-51466 CRITICAL
9.0 Dec 20

IBM Cognos Analytics 11.2.0 through 11.2.4 FP4 and 12.0.0 through 12.0.4 is vulnerable to an Expression Language (EL) In

CVE-2021-29756 HIGH
8.8 Dec 03

IBM Cognos Analytics 11.1.7 and 11.2.0 is vulnerable to cross-site request forgery (CSRF) in the My Inbox page which cou

CVE-2021-29745 HIGH
8.8 Oct 15

IBM Cognos Analytics 11.1.7 and 11.2.0 is vulnerable to priviledge escalation where a lower evel user could have access

CVE-2021-29679 HIGH
8.8 Oct 15

IBM Cognos Analytics 11.1.7 and 11.2.0 could allow an authenticated user to execute code remotely due to incorrectly neu

CVE-2024-25047 HIGH
8.6 May 02

IBM Cognos Analytics 11.2.0 through 11.2.4 and 12.0.0 through 12.0.2 is vulnerable to injection attacks in application l

CVE-2020-4388 HIGH
8.2 Oct 12

IBM Cognos Analytics 11.0 and 11.1 could be vulnerable to a denial of service attack by failing to catch exceptions in a

CVE-2022-36773 HIGH
8.1 Sep 01

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 is vulnerable to an XML External Entity Injection (XXE) attack when proc

CVE-2024-40695 HIGH
8.0 Dec 20

IBM Cognos Analytics 11.2.0 through 11.2.4 FP4 and 12.0.0 through 12.0.4 could be vulnerable to malicious file upload by

CVE-2020-4302 HIGH
7.8 Oct 12

IBM Cognos Analytics 11.0 and 11.1 could allow a remote attacker to execute arbitrary code on the system, caused by a CS

Share

CVE-2024-40703 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy