IBM Cognos Analytics Vulnerability Allows Malicious File Upload & Injection Attacks
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
IBM has released a critical security update for its Cognos Analytics software, addressing two severe vulnerabilities:CVE-2023-42017andCVE-2024-51466.
These vulnerabilities could allow attackers to upload malicious files or execute Expression Language (EL) injection attacks, putting sensitive data and system stability at risk. Users are urged to act immediately to secure their systems.
CVE-2023-42017: Malicious File Upload Vulnerability
CVE-2023-42017arises from the system’s failure to validate uploaded files via the web interface. A privileged user could exploit this weakness to upload harmful executable files, which could then be sent to a victim for further exploitation.
This vulnerability is classified underCWE-434: Unrestricted Upload of File with Dangerous Type. With aCVSS v3.0 base score of 8.0, the flaw is considered high severity.
The risk includes significant compromise to confidentiality, integrity, and availability. Exploitation can occur remotely, requiring minimal attacker effort but with potentially devastating consequences.
CVE-2024-51466: Expression Language Injection Vulnerability
CVE-2024-51466is an Expression Language (EL) Injection vulnerability that allows a remote attacker to embed malicious EL statements into the system.
Exploiting this flaw could result in the exposure of sensitive information, resource exhaustion, or a server crash.
This vulnerability is classified underCWE-917: Improper Neutralization of Special Elements Used in an Expression Language Statement.
With aCVSS v3.1 base score of 9.0, it is rated as critical. Its attack vector does not depend on direct interaction with the system by the attacker, further increasing its exploitability in networked environments.
Affected Products and Versions
The following versions of IBM Cognos Analytics are affected:
These versions are vulnerable to both flaws, making it imperative for organizations using these systems to apply updates immediately.
IBM has provided fixes to address these vulnerabilities. Users of version12.0.4should installInterim Fix 1, while those using version11.2.4 FP4should upgrade toFP5.
No workarounds or mitigations are available, so upgrading to the fixed versions is essential.
The emergence ofCVE-2023-42017andCVE-2024-51466highlights the critical need for organizations to stay vigilant and proactive in maintaining security.
IBM users must prioritize applying the recommended fixes to avoid potential exploitation, ensuring the protection of sensitive data and system stability.
#Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
IBM Cognos Analytics Vulnerability Allows Malicious File Upload & Injection Attacks
Author: DhivyaIBM has released a critical security update for its Cognos Analytics software, addressing two severe vulnerabilities:CVE-2023-42017andCVE-2024-51466.
These vulnerabilities could allow attackers to upload malicious files or execute Expression Language (EL) injection attacks, putting sensitive data and system stability at risk. Users are urged to act immediately to secure their systems.
CVE-2023-42017: Malicious File Upload Vulnerability
CVE-2023-42017arises from the system’s failure to validate uploaded files via the web interface. A privileged user could exploit this weakness to upload harmful executable files, which could then be sent to a victim for further exploitation.
This vulnerability is classified underCWE-434: Unrestricted Upload of File with Dangerous Type. With aCVSS v3.0 base score of 8.0, the flaw is considered high severity.
The risk includes significant compromise to confidentiality, integrity, and availability. Exploitation can occur remotely, requiring minimal attacker effort but with potentially devastating consequences.
CVE-2024-51466: Expression Language Injection Vulnerability
CVE-2024-51466is an Expression Language (EL) Injection vulnerability that allows a remote attacker to embed malicious EL statements into the system.
Exploiting this flaw could result in the exposure of sensitive information, resource exhaustion, or a server crash.
This vulnerability is classified underCWE-917: Improper Neutralization of Special Elements Used in an Expression Language Statement.
With aCVSS v3.1 base score of 9.0, it is rated as critical. Its attack vector does not depend on direct interaction with the system by the attacker, further increasing its exploitability in networked environments.
Affected Products and Versions
The following versions of IBM Cognos Analytics are affected:
- Versions12.0.0 to 12.0.4
- Versions11.2.0 to 11.2.4 FP4
These versions are vulnerable to both flaws, making it imperative for organizations using these systems to apply updates immediately.
IBM has provided fixes to address these vulnerabilities. Users of version12.0.4should installInterim Fix 1, while those using version11.2.4 FP4should upgrade toFP5.
No workarounds or mitigations are available, so upgrading to the fixed versions is essential.
The emergence ofCVE-2023-42017andCVE-2024-51466highlights the critical need for organizations to stay vigilant and proactive in maintaining security.
IBM users must prioritize applying the recommended fixes to avoid potential exploitation, ensuring the protection of sensitive data and system stability.
#Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
