Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM51D9791F34A60949E753D5D5D3B18A0FEB74792B5E0278450345A6CC1EA406FA
HistorySep 27, 2023 - 2:07 p.m.

Security Bulletin: IBM Cognos Analytics is affected but not classified as vulnerable to vulnerabilities in IBM Websphere Application Server Liberty

2023-09-2714:07:50
www.ibm.com
43
ibm cognos analytics
websphere application server liberty
vulnerabilities
apache cxf
apache james mime4j
resteasy
ssrf attack
local attacker
elevated privileges
upgrade
fix pack

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.039 Low

EPSS

Percentile

92.0%

JSON

Summary

IBM Cognos Analytics is affected but not classified as vulnerable to vulnerabilities in IBM Websphere Application Server Liberty as the vulnerable features are not enabled (see References below). IBM Cognos Analytics has upgraded to an non-affected version of IBM Websphere Application Server Liberty.

Vulnerability Details

CVEID:CVE-2022-46364
**DESCRIPTION:**Apache CXF is vulnerable to server-side request forgery, caused by a flaw in parsing the href attribute of XOP:Include in MTOM requests. By using a specially-crafted request, an attacker could exploit this vulnerability to conduct SSRF attack.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/242008 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2022-45787
**DESCRIPTION:**Apache James MIME4J could allow a local authenticated attacker to obtain sensitive information, caused by improper laxist permissions on the temporary files. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/244033 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2023-0482
**DESCRIPTION:**RESTEasy could allow a local authenticated attacker to gain elevated privileges on the system, caused by the creation of insecure temp files in the File.createTempFile() used in the DataSourceProvider, FileProvider and Mime4JWorkaround classes. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to gain elevated privileges.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/246304 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Cognos Analytics 12.0
IBM Cognos Analytics 11.2.x
IBM Cognos Analytics 11.1.x

Remediation/Fixes

IBM recommends upgrading:

Affected Product(s) Version Fix
IBM Cognos Analytics 12.0 IBM Cognos Analytics 12.0.1
IBM Cognos Analytics 11.2.x IBM Cognos Analytics 11.2.4 Fix Pack 2
IBM Cognos Analytics 11.1.x

Upgrade to:

IBM Cognos Analytics 12.0.1 or 11.2.4 Fix Pack 2

Workarounds and Mitigations

None

Related

ibm 76
veracode 3
osv 5
cve 3
prion 3
github 3
cnvd 1
redhatcve 3
nessus 19
redhat 34
debiancve 1
ubuntucve 1
amazon 1
qualysblog 2
oracle 3
ibm
ibm
Security Bulletin: IBM WebSphere Application Server Liberty for IBM i is vulnerable to a server-side request forgery, a denial of service, an attacker obtaining sensitive information, and gaining elevated privileges due to multiple vulnerabilities.
2023-05-01 14:52:39
Security Bulletin: IBM Spectrum Control is vulnerable to weaknesse related to IBM WebSphere Application Server Liberty
2023-10-06 07:58:05
Security Bulletin: Multiple Security Vulnerabilities were identified in IBM Security Verify Access (CVE-2023-46158, CVE-2023-0482, CVE-2022-46364, CVE-2023-28867)
2024-01-17 15:30:23
veracode
veracode
Information Disclosure
2023-01-08 03:34:35
Server-side Request Forgery (SSRF)
2022-12-14 02:50:22
Insecure Temporary Files
2023-03-01 09:06:36
osv
osv
CVE-2022-46364
2022-12-13 17:15:17
Apache James MIME4J vulnerable to information disclosure to local users
2023-01-06 12:31:34
Apache CXF Server-Side Request Forgery vulnerability
2022-12-13 18:30:26
cve
cve
CVE-2022-46364
2022-12-13 17:15:00
CVE-2022-45787
2023-01-06 10:15:10
CVE-2023-0482
2023-02-17 22:15:11
prion
prion
Information disclosure
2023-01-06 10:15:00
Server side request forgery (ssrf)
2022-12-13 17:15:00
Design/Logic Flaw
2023-02-17 22:15:00
github
github
Apache James MIME4J vulnerable to information disclosure to local users
2023-01-06 12:31:34
Apache CXF Server-Side Request Forgery vulnerability
2022-12-13 18:30:26
Insecure Temporary File in RESTEasy
2023-02-18 00:31:59
cnvd
cnvd
Apache James licensing issue vulnerability
2023-01-11 00:00:00
redhatcve
redhatcve
CVE-2022-45787
2023-03-14 19:43:01
CVE-2022-46364
2022-12-21 22:01:38
CVE-2023-0482
2023-01-31 17:05:28
nessus
nessus
RHEL 7 / 9 : Red Hat JBoss Enterprise Application Platform 7.4 (RHSA-2023:0163)
2023-01-13 00:00:00
RHEL 8 : Red Hat Single Sign-On 7.6.3 security update on RHEL 8 (Moderate) (RHSA-2023:2706)
2023-05-13 00:00:00
RHEL 9 : Red Hat Single Sign-On 7.6.3 security update on RHEL 9 (Moderate) (RHSA-2023:2707)
2023-05-13 00:00:00
redhat
redhat
(RHSA-2023:0164) Important: Red Hat JBoss Enterprise Application Platform 7.4 security update
2023-01-12 20:48:48
(RHSA-2023:0163) Important: Red Hat JBoss Enterprise Application Platform 7.4 security update
2023-01-12 20:48:45
(RHSA-2023:2713) Moderate: Red Hat Single Sign-On 7.6.3 security update
2023-05-10 11:57:32
debiancve
debiancve
CVE-2023-0482
2023-02-17 22:15:11
ubuntucve
ubuntucve
CVE-2023-0482
2023-02-17 00:00:00
amazon
amazon
Medium: resteasy-base
2024-01-03 21:04:00
qualysblog
qualysblog
Oracle Patch Tuesday April 2023 Security Update Review
2023-04-19 11:47:21
Oracle Patch Tuesday, July 2023 Security Update Review
2023-07-19 15:56:06
oracle
oracle
Oracle Critical Patch Update Advisory - July 2023
2023-07-18 00:00:00
Oracle Critical Patch Update Advisory - April 2024
2024-04-16 00:00:00
Oracle Critical Patch Update Advisory - April 2023
2023-04-18 00:00:00

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.039 Low

EPSS

Percentile

92.0%

JSON
Related for 51D9791F34A60949E753D5D5D3B18A0FEB74792B5E0278450345A6CC1EA406FA
ibm76veracode3osv5cve3prion3github3cnvd1redhatcve3nessus19redhat34debiancve1ubuntucve1amazon1qualysblog2oracle3