Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM11867A2229D2091E3B95C6D43A78DBF1BFFC7D8AF10E57694EF0985DEA597FEB
HistoryNov 05, 2019 - 3:31 p.m.

Security Bulletin: Security Vulnerabilties have been addressed in IBM Cognos Analytics

2019-11-0515:31:03
www.ibm.com
10

0.001 Low

EPSS

Percentile

48.7%

JSON

Summary

This Security Bulletin addresses vulnerabilities that have been addressed in IBM Cognos Analytics 11.1.4 and 11.0.13 FP2.

A vulnerability has been addressed where a parameter in a Cognos URL can be modified such that Cognos HTTP messages are forwarded to a hostile server. (CVE-2018-1721)

A vulnerability has been addressed where the The X-Powered-By attribute is being returned in the HTTP response header in IBM Cognos Analytics. This information might help an attacker gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of the web server. (CVE-2019-4334)

A vulnerability has been addressed in IBM Cognos Analytics 11.1.4 where the product could be vulnerable to a cross-sire scripting (XSS) attack in the Assistant Search tab via .xlsx file upload. (CVE-2019-4645). This vulnerability was not applicable in IBM Cognos Analytics 11.0.x.

Vulnerability Details

CVEID: CVE-2018-1721 DESCRIPTION: IBM Cognos Analytics is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or cause the web server to make HTTP requests to arbitrary domains.
CVSS Base Score: 8.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/147369&gt; for the current score
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L)

CVEID: CVE-2019-4334 DESCRIPTION: IBM Cognos Analytics could reveal sensitive information to an authenticated user that could be used in future attacks against the system.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/161271&gt; for the current score
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2019-4645 DESCRIPTION: IBM Cognos Analytics could be vulnerable to a XSS attack in the Assistant Search tab via .xlsx file upload.
CVSS Base Score: 6.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/170881 for the current score
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/)

Affected Products and Versions

IBM Cognos Analytics 11.1

IBM Cognos Analytics 11.0

Remediation/Fixes

IBM Cognos Analytics 11.1.4

IBM Cognos Analytics 11.0.13 FP2

Workarounds and Mitigations

None

Related

nvd 3
prion 3
cvelist 3
cve 3
nvd
nvd
CVE-2019-4334
2019-11-09 02:15:10
CVE-2019-4645
2019-11-09 02:15:11
CVE-2018-1721
2019-11-09 02:15:10
prion
prion
Code injection
2019-11-09 02:15:00
Cross site scripting
2019-11-09 02:15:00
Xxe
2019-11-09 02:15:00
cvelist
cvelist
CVE-2019-4334
2019-11-05 00:00:00
CVE-2019-4645
2019-11-05 00:00:00
CVE-2018-1721
2019-11-05 00:00:00
cve
cve
CVE-2019-4334
2019-11-09 02:15:10
CVE-2019-4645
2019-11-09 02:15:11
CVE-2018-1721
2019-11-09 02:15:10

0.001 Low

EPSS

Percentile

48.7%

JSON
Related for 11867A2229D2091E3B95C6D43A78DBF1BFFC7D8AF10E57694EF0985DEA597FEB
nvd3prion3cvelist3cve3