Lucene search

IbmCVELIST:CVE-2022-38708

HistoryDec 19, 2022 - 8:12 p.m.

CVE-2022-38708 IBM Cognos Analytics server-side request forgery

2022-12-1920:12:17

CWE-918

ibm

www.cve.org

ibm cognos analytics

ssrf

vulnerability

versions 11.1.7

11.2.0

11.2.1

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

AI Score

8.6

Confidence

High

EPSS

0.001

Percentile

43.5%

JSON

IBM Cognos Analytics 11.1.7 11.2.0, and 11.2.1 could be vulnerable to a Server-Side Request Forgery Attack (SSRF) attack by constructing URLs from user-controlled data. This could enable attackers to make arbitrary requests to the internal network or to the local file system. IBM X-Force ID: 234180.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Cognos Analytics",
    "vendor": "IBM",
    "versions": [
      {
        "status": "affected",
        "version": "11.1.7 11.2.0, 11.2.1"
      }
    ]
  }
]

References

exchange.xforce.ibmcloud.com/vulnerabilities/234180

www.ibm.com/support/pages/node/6841801

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

AI Score

8.6

Confidence

High

EPSS

0.001

Percentile

43.5%

JSON

Related for CVELIST:CVE-2022-38708