logo
DATABASE RESOURCES PRICING ABOUT US

Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities

Description

## Summary Security vulnerabilities have been addressed in IBM Cognos Analytics 11.0.13 FP4. These vulnerabilities have also been addressed in previous versions of IBM Cognos Analytics 11.1.x . ## Vulnerability Details ** CVEID: **[CVE-2019-12402](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12402>) ** DESCRIPTION: **Apache Commons Compress is vulnerable to a denial of service, caused by an error in the internal file name encoding algorithm. By choosing the file names inside of a specially crafted archive, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/165956](<https://exchange.xforce.ibmcloud.com/vulnerabilities/165956>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) ** CVEID: **[CVE-2020-2601](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2601>) ** DESCRIPTION: **An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Security component could allow an unauthenticated attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors. CVSS Base score: 6.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/174548](<https://exchange.xforce.ibmcloud.com/vulnerabilities/174548>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N) ** CVEID: **[CVE-2020-4520](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4520>) ** DESCRIPTION: **IBM Cognos Analytics could allow a remote attacker to inject malicious HTML code that when viewed by the authenticated victim would execute the code. CVSS Base score: 7.1 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/182395](<https://exchange.xforce.ibmcloud.com/vulnerabilities/182395>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2019-4730](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-4730>) ** DESCRIPTION: **IBM Cognos Analytics is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. CVSS Base score: 7.1 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/172533](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172533>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L) ** CVEID: **[CVE-2019-12086](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to obtain sensitive information, caused by a Polymorphic Typing issue that occurs due to missing com.mysql.cj.jdbc.admin.MiniAdmin validation. By sending a specially-crafted JSON message, a remote attacker could exploit this vulnerability to read arbitrary local files on the server. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/161256](<https://exchange.xforce.ibmcloud.com/vulnerabilities/161256>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) ** CVEID: **[CVE-2020-2830](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2830>) ** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Java SE Concurrency component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/179728](<https://exchange.xforce.ibmcloud.com/vulnerabilities/179728>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) ** CVEID: **[CVE-2020-2781](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2781>) ** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Java SE JSSE component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/179681](<https://exchange.xforce.ibmcloud.com/vulnerabilities/179681>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) ** CVEID: **[CVE-2020-2800](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2800>) ** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Java SE Lightweight HTTP Server component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact. CVSS Base score: 4.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/179698](<https://exchange.xforce.ibmcloud.com/vulnerabilities/179698>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N) ** CVEID: **[CVE-2020-2757](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2757>) ** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Java SE Serialization component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 3.7 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/179657](<https://exchange.xforce.ibmcloud.com/vulnerabilities/179657>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) ** CVEID: **[CVE-2020-2756](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2756>) ** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Java SE Serialization component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 3.7 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/179656](<https://exchange.xforce.ibmcloud.com/vulnerabilities/179656>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) ** CVEID: **[CVE-2020-2755](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2755>) ** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Java SE Scripting component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 3.7 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/179655](<https://exchange.xforce.ibmcloud.com/vulnerabilities/179655>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) ** CVEID: **[CVE-2020-2754](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2754>) ** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Java SE Scripting component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 3.7 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/179654](<https://exchange.xforce.ibmcloud.com/vulnerabilities/179654>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) ** CVEID: **[CVE-2019-4471](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-4471>) ** DESCRIPTION: **IBM Cognos Analytics could allow a remote attacker to obtain sensitive information, caused by the failure to set the secure flag for a sensitive cookie in an HTTPS session. A remote attacker could exploit this vulnerability to obtain sensitive information. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/163780](<https://exchange.xforce.ibmcloud.com/vulnerabilities/163780>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N) ** CVEID: **[CVE-2020-14621](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14621>) ** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/185099](<https://exchange.xforce.ibmcloud.com/vulnerabilities/185099>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) ** CVEID: **[CVE-2020-14579](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14579>) ** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 3.7 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/185057](<https://exchange.xforce.ibmcloud.com/vulnerabilities/185057>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) ** CVEID: **[CVE-2020-14578](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14578>) ** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 3.7 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/185056](<https://exchange.xforce.ibmcloud.com/vulnerabilities/185056>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) ** CVEID: **[CVE-2020-14577](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14577>) ** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JSSE component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. CVSS Base score: 3.7 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/185055](<https://exchange.xforce.ibmcloud.com/vulnerabilities/185055>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) ** CVEID: **[CVE-2020-14060](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14060>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill). By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/183422](<https://exchange.xforce.ibmcloud.com/vulnerabilities/183422>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-14062](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14062>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2). By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/183425](<https://exchange.xforce.ibmcloud.com/vulnerabilities/183425>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2019-4305](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-4305>) ** DESCRIPTION: **IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information caused by the improper setting of a cookie. IBM X-Force ID: 160951. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/160951](<https://exchange.xforce.ibmcloud.com/vulnerabilities/160951>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) ** CVEID: **[CVE-2019-4724](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-4724>) ** DESCRIPTION: **IBM Cognos Analytics could allow a remote attacker to obtain credentials from a user's browser via incorrect autocomplete settings in New Content Backup page. CVSS Base score: 4.6 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/172130](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172130>) for the current score. CVSS Vector: (CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) ** CVEID: **[CVE-2019-12814](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12814>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to obtain sensitive information, caused by a polymorphic typing issue. By sending a specially-crafted JSON message, an attacker could exploit this vulnerability to read arbitrary local files on the server. CVSS Base score: 7.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/162875](<https://exchange.xforce.ibmcloud.com/vulnerabilities/162875>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) ** CVEID: **[CVE-2019-2949](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2949>) ** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Kerberos component could allow an unauthenticated attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors. CVSS Base score: 6.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/169254](<https://exchange.xforce.ibmcloud.com/vulnerabilities/169254>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N) ** CVEID: **[CVE-2020-4354](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4354>) ** DESCRIPTION: **IBM Cognos Analytics is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. CVSS Base score: 5.4 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/178506](<https://exchange.xforce.ibmcloud.com/vulnerabilities/178506>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) ** CVEID: **[CVE-2019-17267](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17267>) ** DESCRIPTION: **FasterXML jackson-databind could provide weaker than expected security, caused by a polymorphic typing issue in the net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup. A remote attacker could exploit this vulnerability to launch further attacks on the system. CVSS Base score: 7.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/168514](<https://exchange.xforce.ibmcloud.com/vulnerabilities/168514>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) ** CVEID: **[CVE-2020-4329](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4329>) ** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 20.0.0.4 could allow a remote, authenticated attacker to obtain sensitive information, caused by improper parameter checking. This could be exploited to conduct spoofing attacks. IBM X-Force ID: 177841. CVSS Base score: 4.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177841](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177841>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) ** CVEID: **[CVE-2019-4653](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-4653>) ** DESCRIPTION: **IBM Cognos Analytics is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. CVSS Base score: 5.4 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/170964](<https://exchange.xforce.ibmcloud.com/vulnerabilities/170964>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) ** CVEID: **[CVE-2019-4722](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-4722>) ** DESCRIPTION: **IBM Cognos Analytics could allow a remote attacker to obtain sensitive information via a stack trace due to mishandling of certain error conditions. CVSS Base score: 4.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/172128](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172128>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) ** CVEID: **[CVE-2020-4561](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4561>) ** DESCRIPTION: **IBM Cognos Analytics DQM API allows submitting of all control requests in unauthenticated sessions. This allows a remote attacker who can access a valid CA endpoint to read and write files to the Cognos Analytics system. CVSS Base score: 10 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/183903](<https://exchange.xforce.ibmcloud.com/vulnerabilities/183903>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) ** CVEID: **[CVE-2020-2593](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2593>) ** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Java SE Networking component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact. CVSS Base score: 4.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/174541](<https://exchange.xforce.ibmcloud.com/vulnerabilities/174541>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N) ** CVEID: **[CVE-2019-4732](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-4732>) ** DESCRIPTION: **IBM SDK, Java Technology Edition Version 7.0.0.0 through 7.0.10.55, 7.1.0.0 through 7.1.4.55, and 8.0.0.0 through 8.0.6.0 could allow a local authenticated attacker to execute arbitrary code on the system, caused by DLL search order hijacking vulnerability in Microsoft Windows client. By placing a specially-crafted file in a compromised folder, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 172618. CVSS Base score: 7.2 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/172618](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172618>) for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H) ** CVEID: **[CVE-2019-4441](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-4441>) ** DESCRIPTION: **IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0, and Liberty could allow a remote attacker to obtain sensitive information when a stack trace is returned in the browser. IBM X-Force ID: 163177. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/163177](<https://exchange.xforce.ibmcloud.com/vulnerabilities/163177>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) ** CVEID: **[CVE-2020-4300](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4300>) ** DESCRIPTION: **IBM Cognos Analytics is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. CVSS Base score: 8.2 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/176607](<https://exchange.xforce.ibmcloud.com/vulnerabilities/176607>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L) ** CVEID: **[CVE-2020-9546](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9546>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by the mishandling of interaction between serialization gadgets and typing in org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config). By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177102](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177102>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2019-14892](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14892>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization when using commons-configuration 1 and 2 JNDI classes. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177106](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177106>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2019-14893](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14893>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization when using the xalan JNDI gadget. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177108](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177108>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2019-12406](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12406>) ** DESCRIPTION: **Apache CXF is vulnerable to a denial of service, caused by the failure to restrict the number of message attachments present in a given message. By sending a specially-crafted message containing an overly large number of message attachments, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/170974](<https://exchange.xforce.ibmcloud.com/vulnerabilities/170974>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) ** CVEID: **[CVE-2017-18214](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18214>) ** DESCRIPTION: **Node.js moment module is vulnerable to a denial of service. A remote attacker could exploit this vulnerability to cause a low severity regular expression denial of service. CVSS Base score: 7.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/135364](<https://exchange.xforce.ibmcloud.com/vulnerabilities/135364>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) ** CVEID: **[CVE-2020-2654](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2654>) ** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Java SE Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 3.7 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/174601](<https://exchange.xforce.ibmcloud.com/vulnerabilities/174601>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) ** CVEID: **[CVE-2018-11771](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11771>) ** DESCRIPTION: **Apache Commons Compress is vulnerable to a denial of service, caused by the failure to return the correct EOF indication after the end of the stream has been reached by the ZipArchiveInputStream method. By reading a specially crafted ZIP archive, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop. CVSS Base score: 3.1 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/148429](<https://exchange.xforce.ibmcloud.com/vulnerabilities/148429>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L) ** CVEID: **[CVE-2020-2590](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2590>) ** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Java SE Security component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. CVSS Base score: 3.7 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/174538](<https://exchange.xforce.ibmcloud.com/vulnerabilities/174538>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) ** CVEID: **[CVE-2018-15494](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15494>) ** DESCRIPTION: **Dojo Toolkit is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the DataGrid component. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS Base score: 6.1 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/148556](<https://exchange.xforce.ibmcloud.com/vulnerabilities/148556>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) ** CVEID: **[CVE-2019-14379](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14379>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the SubTypeValidator.java. An attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/165286](<https://exchange.xforce.ibmcloud.com/vulnerabilities/165286>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2019-16942](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16942>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by a polymorphic typing issue in the commons-dbcp class. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/168254](<https://exchange.xforce.ibmcloud.com/vulnerabilities/168254>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2019-1547](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547>) ** DESCRIPTION: **OpenSSL could allow a local authenticated attacker to obtain sensitive information, caused by the ability to construct an EC group missing the cofactor using explicit parameters instead of using a named curve. An attacker could exploit this vulnerability to obtain full key recovery during an ECDSA signature operation. CVSS Base score: 5.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/167020](<https://exchange.xforce.ibmcloud.com/vulnerabilities/167020>) for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) ** CVEID: **[CVE-2019-1549](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549>) ** DESCRIPTION: **OpenSSL could allow a remote attacker to obtain sensitive information, caused by the failure to include protection in the event of a fork() system call to ensure that the parent and child processes do not share the same RNG state. An attacker could exploit this vulnerability to obtain sensitive information. CVSS Base score: 3.7 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/167021](<https://exchange.xforce.ibmcloud.com/vulnerabilities/167021>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) ** CVEID: **[CVE-2019-1563](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563>) ** DESCRIPTION: **OpenSSL could allow a remote attacker to obtain sensitive information, caused by a padding oracle attack in PKCS7_dataDecode and CMS_decrypt_set1_pkey. By sending an overly large number of messages to be decrypted, an attacker could exploit this vulnerability to obtain sensitive information. CVSS Base score: 3.7 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/167022](<https://exchange.xforce.ibmcloud.com/vulnerabilities/167022>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) ** CVEID: **[CVE-2020-8141](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8141>) ** DESCRIPTION: **Node.js dot package could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the Function(). By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/178225](<https://exchange.xforce.ibmcloud.com/vulnerabilities/178225>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-8840](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8840>) ** DESCRIPTION: **Multiple Huawei products could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data without proper validation. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/185699](<https://exchange.xforce.ibmcloud.com/vulnerabilities/185699>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) ** CVEID: **[CVE-2019-11771](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11771>) ** DESCRIPTION: **Eclipse OpenJ9 could allow a local attacker to gain elevated privileges on the system, caused by the inclusion of unused RPATHS in AIX builds. An attacker could exploit this vulnerability to inject code and gain elevated privileges on the system. CVSS Base score: 8.4 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/163989](<https://exchange.xforce.ibmcloud.com/vulnerabilities/163989>) for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2019-2762](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2762>) ** DESCRIPTION: **An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Utilities component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/163826](<https://exchange.xforce.ibmcloud.com/vulnerabilities/163826>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) ** CVEID: **[CVE-2019-2769](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2769>) ** DESCRIPTION: **An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Utilities component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/163832](<https://exchange.xforce.ibmcloud.com/vulnerabilities/163832>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) ** CVEID: **[CVE-2019-2816](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2816>) ** DESCRIPTION: **An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Networking component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact. CVSS Base score: 4.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/163878](<https://exchange.xforce.ibmcloud.com/vulnerabilities/163878>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N) ** CVEID: **[CVE-2019-4473](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-4473>) ** DESCRIPTION: **Multiple binaries in IBM SDK, Java Technology Edition 7, 7R, and 8 on the AIX platform use insecure absolute RPATHs, which may facilitate code injection and privilege elevation by local users. IBM X-Force ID: 163984. CVSS Base score: 8.4 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/163984](<https://exchange.xforce.ibmcloud.com/vulnerabilities/163984>) for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-11113](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11113>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa). By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/178903](<https://exchange.xforce.ibmcloud.com/vulnerabilities/178903>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-10969](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10969>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in javax.swing.JEditorPane. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/178546](<https://exchange.xforce.ibmcloud.com/vulnerabilities/178546>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2021-20190](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20190>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization between gadgets and typing, related to a class(es) of JDK Swing. By sending a specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/195243](<https://exchange.xforce.ibmcloud.com/vulnerabilities/195243>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2019-10086](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10086>) ** DESCRIPTION: **Apache Commons Beanutils could allow a remote attacker to gain unauthorized access to the system, caused by the failure to suppresses the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/166353](<https://exchange.xforce.ibmcloud.com/vulnerabilities/166353>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) ** CVEID: **[CVE-2016-1000031](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000031>) ** DESCRIPTION: **Apache Commons FileUpload, as used in Novell NetIQ Sentinel and other products, could allow a remote attacker to execute arbitrary code on the system, caused by deserialization of untrusted data in DiskFileItem class of the FileUpload library. A remote attacker could exploit this vulnerability to execute arbitrary code under the context of the current process. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/117957](<https://exchange.xforce.ibmcloud.com/vulnerabilities/117957>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2019-20330](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20330>) ** DESCRIPTION: **A lacking of certain net.sf.ehcache blocking in FasterXML jackson-databind has an unknown impact and attack vector. CVSS Base score: 7.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/173897](<https://exchange.xforce.ibmcloud.com/vulnerabilities/173897>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) ** CVEID: **[CVE-2019-2964](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2964>) ** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Concurrency component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 3.7 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/169270](<https://exchange.xforce.ibmcloud.com/vulnerabilities/169270>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) ** CVEID: **[CVE-2019-2973](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2973>) ** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 3.7 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/169279](<https://exchange.xforce.ibmcloud.com/vulnerabilities/169279>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) ** CVEID: **[CVE-2019-2978](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2978>) ** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Networking component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 3.7 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/169284](<https://exchange.xforce.ibmcloud.com/vulnerabilities/169284>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) ** CVEID: **[CVE-2019-2981](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2981>) ** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 3.7 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/169287](<https://exchange.xforce.ibmcloud.com/vulnerabilities/169287>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) ** CVEID: **[CVE-2019-2983](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2983>) ** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Serialization component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 3.7 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/169289](<https://exchange.xforce.ibmcloud.com/vulnerabilities/169289>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) ** CVEID: **[CVE-2019-2989](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2989>) ** DESCRIPTION: **An unspecified vulnerability in Java SE could allow an unauthenticated attacker to cause no confidentiality impact, high integrity impact, and no availability impact. CVSS Base score: 6.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/169295](<https://exchange.xforce.ibmcloud.com/vulnerabilities/169295>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N) ** CVEID: **[CVE-2019-4723](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-4723>) ** DESCRIPTION: **IBM Cognos Analytics could allow a remote attacker to obtain credentials from a user's browser via incorrect autocomplete settings in New Data Server Connection page. CVSS Base score: 4.6 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/172129](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172129>) for the current score. CVSS Vector: (CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) ## Affected Products and Versions IBM Cognos Analytics 11.1 IBM Cognos Analytics 11.0 ## Remediation/Fixes **For IBM Cognos Analytics 11.1.x : ** The listed vulnerabilities have been addressed in previously released versions of IBM Cognos Analytics 11.1.x .The recommended solution is to apply the latest available fix for the version as soon as practical. [IBM Cognos Analytics 11.1.7 FP2](<https://www.ibm.com/support/pages/ibm-cognos-analytics-1117-fix-pack-2> "IBM Cognos Analytics 11.1.7 FP2" ) **For IBM Cognos Analytics 11.0.x:** The recommended solution is to apply the latest available version of IBM Cognos Analytics 11.0.x. [IBM Cognos Analytics 11.0.13 Fix Pack 4](<https://www.ibm.com/support/pages/node/6402561> "IBM Cognos Analytics 11.0.13 Fix Pack 4" ) **IBM Cognos Analytics in Cloud** All applicable vulnerabilities have been addressed on IBM Cognos Analytics Cloud environments and no further action is required. ## Workarounds and Mitigations None ## Get Notified about Future Security Bulletins Subscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this. ### References [Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> "Link resides outside of ibm.com" ) [On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> "Link resides outside of ibm.com" ) Off ## Related Information [IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) [IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>) [IBM Java SDK Security Bulletin (July 2020)](<https://www.ibm.com/support/pages/node/6256562> "" ) [IBM Java SDK Security Bulletin (April 2020)](<https://www.ibm.com/support/pages/node/6206154> "" ) [IBM Java SDK Security Bulletin (January 2020)](<https://www.ibm.com/support/pages/node/5736807> "" ) [IBM Java SDK Security Bulletin (October 2019)](<https://www.ibm.com/support/pages/node/1120071> "" ) ## Acknowledgement ## Change History 28 May 2021: Initial Publication *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. ## Disclaimer Review the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment. ## Document Location Worldwide [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTSF6","label":"IBM Cognos Analytics"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"11.1, 11.0","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]


Affected Software


CPE Name Name Version
ibm cognos analytics 11.1
ibm cognos analytics 11.0

Related