7.3 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
0.006 Low
EPSS
Percentile
79.3%
Security vulnerabilities have been addressed in IBM Cognos Analytics. IBM Cognos Analytics is vulnerable to an Arbitrary File Write via Archive Extraction (Zip Slip) in JSZip (CVE-2022-48285). This has been addressed by upgrading JZIP to a non-vulnerable version. A Server-Side Request Forgery (SSRF) vulnerability has been addressed (CVE-2023-35011). Additionally, a vulnerability that exposes a detailed error message which could be used to gain information for further attacks has been addressed (CVE-2023-35009).
CVEID:CVE-2023-35011
**DESCRIPTION:**IBM Cognos Analytics is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/257705 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)
CVEID:CVE-2022-48285
**DESCRIPTION:**JSZip could allow a remote attacker to traverse directories on the system, caused by the failure to sanitize filenames when files are loaded with loadAsync
, which makes the library vulnerable to a Zip Slip attack. By extracting files from a specially crafted archive, an attacker could gain access to parts of the file system outside of the target folder, overwrite the executable files and execute arbitrary commands on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/244499 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID:CVE-2023-35009
**DESCRIPTION:**IBM Cognos Analytics could allow a remote attacker to obtain system information without authentication which could be used in reconnaissance to gather information that could be used for future attacks.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/257703 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Affected Product(s) | Version(s) |
---|---|
IBM Cognos Analytics | 12.0 |
IBM Cognos Analytics | 11.2.x |
IBM Cognos Analytics | 11.1.x |
IBM strongly recommends addressing the vulnerabilities now by upgrading.
**Product(s) ** | **Version(s) ** | **Remediation/Fix/Instructions ** |
---|---|---|
IBM Cognos Analytics |
12.0
|
Downloading IBM Cognos Analytics 12.0.1
IBM Cognos Analytics|
11.2.x
|
IBM Cognos Analytics 11.2.4 Fix Pack 2
IBM Cognos Analytics|
11.1.x
|
IBM Cognos Analytics 11.1.7 Interim Fix 10
None
CPE | Name | Operator | Version |
---|---|---|---|
ibm cognos analytics | eq | 12.0 | |
ibm cognos analytics | eq | 11.2.1 | |
ibm cognos analytics | eq | 11.2.0 | |
ibm cognos analytics | eq | 11.1.7 |
7.3 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
0.006 Low
EPSS
Percentile
79.3%