Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMC6324A3EF45791634807F1A3E649F45DC0E3697C2CBC966F21AF4D4D9E99531F
HistoryJul 30, 2020 - 1:47 p.m.

Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities

2020-07-3013:47:03
www.ibm.com
61

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

JSON

Summary

Security vulnerabilities have been addressed in IBM Cognos Analytics.

Vulnerability Details

CVEID:CVE-2010-5312
**DESCRIPTION:**jQuery UI is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using the title parameter in a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/98696 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID:CVE-2019-0205
**DESCRIPTION:**Apache Thrift is vulnerable to a denial of service, caused by an error when processing untrusted Thrift payload. A remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/169460 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2019-0210
**DESCRIPTION:**Apache Thrift is vulnerable to a denial of service, caused by an out-of-bounds read in a server implemented in Go using TJSONProtocol or TSimpleJSONProtocol. A remote attacker could exploit this vulnerability to cause the application to panic.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/169459 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2020-4377
**DESCRIPTION:**IBM Cognos Anaytics is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
CVSS Base score: 8.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/179156 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L)

CVEID:CVE-2016-7103
**DESCRIPTION:**jQuery UI is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the dialog function. A remote attacker could exploit this vulnerability using the ‘closeText’ parameter in a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/119601 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2019-4589
**DESCRIPTION:**IBM Cognos Analytics is vulnerable to privlege escalation where the “My schedules and subscriptions” page is visible and accessible to a less privileged user.
CVSS Base score: 4.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/167449 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)

CVEID:CVE-2019-4366
**DESCRIPTION:**IBM Cognos Analytics is susceptible to an information disclosure vulnerability where an attacker could gain access to cached browser data.
CVSS Base score: 2.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/161748 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

IBM Cognos Analytics 11.1

IBM Cognos Analytics 11.0 (versions prior to 11.0.13 FP2)

Remediation/Fixes

For IBM Cognos Analytics 11.1.x :

The recommended solution is to apply the fix for the versions listed as soon as practical.

Download IBM Cognos Analytics 11.1.7.0

For IBM Cognos Analytics 11.0.x:

IBM Cognos Analytics 11.0.x is only vulnerable to CVE-2016-7103 and this only applies to versions prior to IBM Cognos Analytics 11.0.13 FP2.

The recommended solution is to apply the latest available version of IBM Cognos Analytics 11.0.x.

IBM Cognos Analytics 11.0.13 Fix Pack 3

Workarounds and Mitigations

None

Related

ibm 19
nessus 32
gentoo 1
drupal 1
openvas 23
debian 4
osv 11
attackerkb 1
redhat 20
f5 3
cve 7
alpinelinux 2
github 4
redhatcve 3
prion 7
fedora 8
debiancve 4
ubuntucve 4
securityvulns 2
mageia 1
veracode 4
atlassian 2
checkpoint_advisories 1
nodejs 1
gitlab 3
cgr 1
symantec 2
wolfi 1
oraclelinux 2
centos 2
rosalinux 1
threatpost 1
ubuntu 1
ics 1
oracle 9
ibm
ibm
Security Bulletin: Multiple vulenerabilities CVE-2019-0205, CVE-2019-0210 in thrift package
2019-12-20 08:47:33
Security Bulletin: IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Apache Thrift
2023-05-02 22:53:35
Security Bulletin: Multiple vulnerabilities CVE-2019-12410, CVE-2019-12408 in arrow package
2019-12-20 08:47:33
nessus
nessus
EulerOS Virtualization 3.0.6.6 : thrift (EulerOS-SA-2021-1457)
2021-03-10 00:00:00
GLSA-202107-32 : Apache Thrift: Multiple vulnerabilities
2022-01-24 00:00:00
Drupal 7.x < 7.86 / 9.2.x < 9.2.11 / 9.3.x < 9.3.3 Multiple Vulnerabilities (drupal-2022-01-19)
2022-01-19 00:00:00
gentoo
gentoo
Apache Thrift: Multiple vulnerabilities
2021-07-14 00:00:00
drupal
drupal
Drupal core - Moderately critical - Cross site scripting - SA-CORE-2022-002
2022-01-19 00:00:00
openvas
openvas
Huawei EulerOS: Security Advisory for thrift (EulerOS-SA-2021-1457)
2021-03-05 00:00:00
Debian: Security Advisory (DLA-2889-1)
2022-01-21 00:00:00
Drupal 7.x < 7.86 Multiple XSS Vulnerabilities (SA-CORE-2022-002) - Windows
2022-01-20 00:00:00
debian
debian
[SECURITY] [DLA-2889-1] drupal7 security update
2022-01-19 20:00:29
[SECURITY] [DSA 3249-1] jqueryui security update
2015-05-03 14:28:26
[SECURITY] [DSA 3249-1] jqueryui security update
2015-05-03 14:28:26
osv
osv
drupal7 - security update
2022-01-19 00:00:00
jqueryui - security update
2015-05-03 00:00:00
CVE-2016-7103
2017-03-15 16:59:00
attackerkb
attackerkb
CVE-2016-7103
2017-03-15 00:00:00
redhat
redhat
(RHSA-2020:0962) Important: Red Hat JBoss Enterprise Application Platform 7.3 security update
2020-03-24 11:07:40
(RHSA-2020:0961) Important: Red Hat JBoss Enterprise Application Platform 7.3 security update
2020-03-24 11:06:38
(RHSA-2017:0161) Low: python-XStatic-jquery-ui security update
2017-01-19 13:13:57
f5
f5
K95208524 : jQuery vulnerability CVE-2016-7103
2017-11-13 00:00:00
K51110104 : XSS vulnerabilities CVE-2010-5312 and CVE-2012-6662
2017-07-19 00:00:00
K12492858 : Appliance mode authenticated F5 BIG-IP Guided Configuration third-party lodash and jQuery vulnerabilities CVE-2021-23337, CVE-2020-28500, and CVE-2016-7103
2022-05-06 00:00:00
cve
cve
CVE-2016-7103
2017-03-15 16:59:00
CVE-2019-4366
2020-08-03 13:15:00
CVE-2019-4589
2020-08-03 13:15:00
alpinelinux
alpinelinux
CVE-2016-7103
2017-03-15 16:59:00
CVE-2010-5312
2014-11-24 16:59:00
github
github
jQuery-UI vulnerable to Cross-site Scripting in dialog closeText
2017-10-24 18:33:35
Cross-site Scripting in jquery-ui
2017-10-24 18:33:38
Out-of-bounds read in Apache Thrift
2021-05-18 15:32:04
redhatcve
redhatcve
CVE-2016-7103
2016-08-29 07:18:37
CVE-2019-0210
2021-08-08 12:08:24
CVE-2019-0205
2020-03-30 08:14:11
prion
prion
Cross site scripting
2017-03-15 16:59:00
Cross site scripting
2014-11-24 16:59:00
Information disclosure
2020-08-03 13:15:00
fedora
fedora
[SECURITY] Fedora 25 Update: python-XStatic-jquery-ui-1.12.0.1-4.fc25
2017-11-22 05:09:08
[SECURITY] Fedora 21 Update: couchdb-1.6.1-4.fc21
2014-12-12 04:12:51
[SECURITY] Fedora 20 Update: couchdb-1.6.1-4.fc20
2014-12-12 04:03:17
debiancve
debiancve
CVE-2016-7103
2017-03-15 16:59:00
CVE-2010-5312
2014-11-24 16:59:00
CVE-2019-0210
2019-10-29 19:15:00
ubuntucve
ubuntucve
CVE-2010-5312
2014-11-24 00:00:00
CVE-2016-7103
2017-03-15 00:00:00
CVE-2019-0205
2019-10-29 00:00:00
securityvulns
securityvulns
[SECURITY] [DSA 3249-1] jqueryui security update
2015-05-11 00:00:00
Web applications security vulnerabilities summary &#40;PHP, ASP, JSP, CGI, Perl&#41;
2015-05-11 00:00:00
mageia
mageia
Updated couchdb packages fix CVE-2010-5312
2014-12-31 15:28:04
veracode
veracode
Cross-site Scripting (XSS) Via Dialog CloseText
2019-01-15 09:14:35
Cross-site Scripting (XSS)
2019-01-15 09:06:57
Denial Of Service (DoS)
2019-10-30 06:08:47
atlassian
atlassian
The jQuery version used in JIRA needs to be updated
2015-05-18 09:31:54
The jQuery version used in JIRA needs to be updated
2015-05-18 09:31:54
checkpoint_advisories
checkpoint_advisories
jQuery UI Cross-site Scripting (CVE-2016-7103)
2022-10-23 00:00:00
nodejs
nodejs
XSS in dialog closeText
2016-07-21 20:53:40
gitlab
gitlab
Out-of-bounds Read
2019-10-29 00:00:00
Loop with Unreachable Exit Condition (Infinite Loop)
2019-10-29 00:00:00
Out-of-bounds Read
2021-05-18 00:00:00
cgr
cgr
CVE-2019-0205 vulnerabilities
2024-05-02 09:06:22
symantec
symantec
Apache Thrift CVE-2019-0210 Remote Security Vulnerability
2019-10-17 00:00:00
Apache Thrift CVE-2019-0205 Denial of Service Vulnerability
2019-10-16 00:00:00
wolfi
wolfi
CVE-2019-0205 vulnerabilities
2024-05-02 09:06:21
oraclelinux
oraclelinux
ipa security and bug fix update
2015-07-28 00:00:00
ipa security, bug fix, and enhancement update
2015-03-11 00:00:00
centos
centos
ipa security update
2015-07-26 14:13:07
ipa security update
2015-03-17 13:28:21
rosalinux
rosalinux
Advisory ROSA-SA-2023-2270
2023-10-22 06:11:49
threatpost
threatpost
Oracle Fixes 253 Vulnerabilities in Last CPU of 2016
2016-10-19 13:39:40
ubuntu
ubuntu
jQuery UI vulnerabilities
2023-10-05 00:00:00
ics
ics
Hitachi Energy MSM Product
2022-08-30 12:00:00
oracle
oracle
Oracle Critical Patch Update Advisory - July 2021
2021-07-20 00:00:00
Oracle Critical Patch Update Advisory - October 2019
2020-01-22 00:00:00
Oracle Critical Patch Update - October 2016
2016-10-18 00:00:00

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

JSON
Related for C6324A3EF45791634807F1A3E649F45DC0E3697C2CBC966F21AF4D4D9E99531F
ibm19nessus32gentoo1drupal1openvas23debian4osv11attackerkb1redhat20f53cve7alpinelinux2github4redhatcve3prion7fedora8debiancve4ubuntucve4securityvulns2mageia1veracode4atlassian2checkpoint_advisories1nodejs1gitlab3cgr1symantec2wolfi1oraclelinux2centos2rosalinux1threatpost1ubuntu1ics1oracle9