8.6

CVE-2024-25047

IBM Cognos Analytics log injection

IBM Cognos Analytics 11.2.0 through 11.2.4 and 12.0.0 through 12.0.2 is vulnerable to injection attacks in application logging by not sanitizing user provided data. This could lead to further attacks against the system.  IBM X-Force ID:  282956.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
IbmCognos Analytics Version >= 11.2.0 < 11.2.4
IbmCognos Analytics Version >= 12.0.0 < 12.0.3
IbmCognos Analytics Version11.2.4 Update-
IbmCognos Analytics Version11.2.4 Updatefixpack1
IbmCognos Analytics Version11.2.4 Updatefixpack2
NetappOncommand Insight Version-
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.64% 0.46
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
psirt@us.ibm.com 8.6 3.9 4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
CWE-117 Improper Output Neutralization for Logs

The product constructs a log message from external input, but it does not neutralize or incorrectly neutralizes special elements when the message is written to a log file.

https://security.netapp.com/advisory/ntap-20240621-0007/
Third Party Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/282956
Vendor Advisory
VDB Entry
https://www.ibm.com/support/pages/node/7149874
Patch
Vendor Advisory