Lucene search

K
ibmIBMCD2DE4128A71C2A24F6E68883771147C08FB3E77EAEDBCCCEC61BB322FD708B7
HistoryJul 25, 2022 - 12:56 p.m.

Security Bulletin: IBM Sterling Control Center vulnerable to arbitrary file upload and sensitive information exposure due to IBM Cognos Analytics (CVE-2021-38945, CVE-2021-29768)

2022-07-2512:56:22
www.ibm.com
16

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.005 Low

EPSS

Percentile

75.5%

Summary

IBM Cognos Analytics is shipped with IBM Sterling Control Center. To address multiple vulnerabilities, IBM Sterling Control Center now includes IBM Cognos Analytics 11.1.7.5.

Vulnerability Details

CVEID:CVE-2021-38945
**DESCRIPTION:**IBM Cognos Analytics 11.2.1, 11.2.0, and 11.1.7 could allow a remote attacker to upload arbitrary files, caused by improper content validation. IBM X-Force ID: 211238.
CVSS Base score: 6.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/211238 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N)

CVEID:CVE-2021-29768
**DESCRIPTION:**IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 could allow a low level user to obtain sensitive information from the details of the ‘Cloud Storage’ page for which they should not have access. IBM X-Force ID: 202682.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/202682 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Sterling Control Center 6.1.3.0 iFix12

Remediation/Fixes

Product|Version|**Remediation / Fix
**
—|—|—
IBM Sterling Control Center| 6.1.3.0 iFix12| 6.1.3.0 iFix13 Fix Central - 6.1.3.0

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm control centereq6.1.3.0

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.005 Low

EPSS

Percentile

75.5%

Related for CD2DE4128A71C2A24F6E68883771147C08FB3E77EAEDBCCCEC61BB322FD708B7