Multiple vulnerabilities in IBM Cognos Business Intelligence Server
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 28 |
| CVE-ID | CVE-2017-3735 CVE-2017-3736 CVE-2017-3737 CVE-2018-0739 CVE-2017-7525 CVE-2017-12624 CVE-2017-15095 CVE-2018-1413 CVE-2018-2579 CVE-2018-2588 CVE-2018-2663 CVE-2018-2677 CVE-2018-2678 CVE-2018-2599 CVE-2018-2603 CVE-2018-2657 CVE-2018-2618 CVE-2018-2634 CVE-2018-2637 CVE-2018-2800 CVE-2018-2795 CVE-2018-2796 CVE-2018-2797 CVE-2018-2798 CVE-2018-2799 CVE-2018-2783 CVE-2018-2814 CVE-2018-2790 |
| CWE-ID | CWE-125 CWE-310 CWE-20 CWE-400 CWE-502 CWE-19 CWE-79 CWE-200 CWE-264 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #5 is available. |
| Vulnerable software Subscribe |
IBM Cognos Business Intelligence Server Server applications / Web servers |
| Vendor | IBM Corporation |
Security Bulletin
This security bulletin contains information about 28 vulnerabilities.
1) Out-of-bounds read
EUVDB-ID: #VU8487
Risk: Low
CVSSv3.1: 3.3 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:W/RC:C]
CVE-ID: CVE-2017-3735
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to one-byte out-of-bounds read when parsing an IPAddressFamily extension in an X.509 certificate. A remote attacker can disguise text display of the certificate.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cognos Business Intelligence Server: 10.2 - 10.2.2
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Carry propagation issue
EUVDB-ID: #VU9109
Risk: Low
CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-3736
CWE-ID:
CWE-310 - Cryptographic Issues
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to decrypt data.
The vulnerability exists due to carry propagating bug in the x86_64 Montgomery squaring procedure (bn_sqrx8x_internal). A remote attacker can decrypt encrypted data. The vulnerability affects processors that support the BMI1, BMI2 and ADX extensions like
Intel Broadwell (5th generation) and later or AMD Ryzen.
Install update from vendor's website.
Vulnerable software versionsIBM Cognos Business Intelligence Server: 10.2 - 10.2.2
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Improper input validation
EUVDB-ID: #VU9594
Risk: Medium
CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-3737
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information on the target system.
The weakness exists due to an "error state mechanism" when SSL_read() or SSL_write() is called directly after SSL object. A remote attacker can a specially crafted input, trigger a fatal error during a handshake and return it in the initial function call to access or modify sensitive information.
Install update from vendor's website.
Vulnerable software versionsIBM Cognos Business Intelligence Server: 10.2 - 10.2.2
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Resource exhaustion
EUVDB-ID: #VU11294
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-0739
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to excessive stack memory consumption. A remote attacker can cause the service to crash.
Install update from vendor's website.
Vulnerable software versionsIBM Cognos Business Intelligence Server: 10.2 - 10.2.2
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Deserialization of untrusted data
EUVDB-ID: #VU9128
Risk: High
CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2017-7525
CWE-ID:
CWE-502 - Deserialization of Untrusted Data
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to a deserialization flaw in the jackson-databind component. A remote attacker can send a specially crafted input to the readValue method of the ObjectMapper and execute arbitrary code with privileges of the target service.
Successful exploitation of the vulnerability may result in system compromise.
Install update from vendor's website.
Vulnerable software versionsIBM Cognos Business Intelligence Server: 10.2 - 10.2.2
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
6) Data handling
EUVDB-ID: #VU11285
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-12624
CWE-ID:
CWE-19 - Data Handling
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to data handling. A remote attacker can send specially crafted message attachment header and cause the service to crash.
Install update from vendor's website.
Vulnerable software versionsIBM Cognos Business Intelligence Server: 10.2 - 10.2.2
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Remote code execution
EUVDB-ID: #VU9607
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-15095
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists in the jackson-databind development library due to improper implementation of blacklists for input handled by the ObjectMapper object readValue method. A remote unauthenticated attacker can send a malicious input and execute arbitrary code with elevated privileges.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cognos Business Intelligence Server: 10.2 - 10.2.2
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Cross-site scripting
EUVDB-ID: #VU12583
Risk: Low
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-1413
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The weakness exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cognos Business Intelligence Server: 10.2 - 10.2.2
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Information disclosure
EUVDB-ID: #VU10125
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-2579
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists due to a flaw in the Java SE, Java SE Embedded,
JRockit Libraries component. A remote attacker can partially access data.
Install update from vendor's website.
Vulnerable software versionsIBM Cognos Business Intelligence Server: 10.2 - 10.2.2
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Information disclosure
EUVDB-ID: #VU10128
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-2588
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to obtain potentially sensitive information on the target system.
The weakness exists due to a flaw in the Java SE, Java SE Embedded, JRockit LDAP component. A remote attacker can partially access data.
Install update from vendor's website.
Vulnerable software versionsIBM Cognos Business Intelligence Server: 10.2 - 10.2.2
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Denial of service
EUVDB-ID: #VU10142
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-2663
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to a flaw in the Java SE, Java SE Embedded, JRockit Libraries component. A remote attacker can cause partial denial of service conditions.
Install update from vendor's website.
Vulnerable software versionsIBM Cognos Business Intelligence Server: 10.2 - 10.2.2
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Denial of service
EUVDB-ID: #VU10144
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-2677
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to a flaw in the Java SE, Java SE Embedded AWT component. A remote attacker can cause partial denial of service conditions.
Install update from vendor's website.
Vulnerable software versionsIBM Cognos Business Intelligence Server: 10.2 - 10.2.2
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Denial of service
EUVDB-ID: #VU10145
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-2678
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to a flaw in the Java SE, Java SE Embedded, JRockit JNDI component. A remote attacker can cause partial denial of service conditions.
Install update from vendor's website.
Vulnerable software versionsIBM Cognos Business Intelligence Server: 10.2 - 10.2.2
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Security restrictions bypass
EUVDB-ID: #VU10129
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-2599
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to a flaw in the Java SE, Java SE Embedded, JRockit JNDI component. A remote attacker can partially modify data and cause partial denial of service conditions.
Install update from vendor's website.
Vulnerable software versionsIBM Cognos Business Intelligence Server: 10.2 - 10.2.2
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Security restrictions bypass
EUVDB-ID: #VU10131
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-2603
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to a flaw in the Java SE, Java SE Embedded, JRockit Libraries component. A remote attacker can cause partial denial of service conditions.
Install update from vendor's website.
Vulnerable software versionsIBM Cognos Business Intelligence Server: 10.2 - 10.2.2
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) Denial of service
EUVDB-ID: #VU10141
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-2657
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to a flaw in the Java SE, JRockit Serialization component. A remote attacker can cause partial denial of service conditions.
Install update from vendor's website.
Vulnerable software versionsIBM Cognos Business Intelligence Server: 10.2 - 10.2.2
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
17) Information disclosure
EUVDB-ID: #VU10132
Risk: Low
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-2618
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists due to a flaw in the Java SE, Java SE Embedded, JRockit JCE component. A remote attacker can access data.
Install update from vendor's website.
Vulnerable software versionsIBM Cognos Business Intelligence Server: 10.2 - 10.2.2
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
18) Information disclosure
EUVDB-ID: #VU10136
Risk: Low
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-2634
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists due to a flaw in the Java SE, Java SE Embedded JGSS component. A remote attacker can access data.
Install update from vendor's website.
Vulnerable software versionsIBM Cognos Business Intelligence Server: 10.2 - 10.2.2
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
19) Security restrictions bypass
EUVDB-ID: #VU10137
Risk: Low
CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-2637
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to bypass security restrictions on the target system.
The weakness exists due to a flaw in the Java SE, Java SE Embedded, JRockit JMX component. A remote attacker can access and modify data.
Install update from vendor's website.
Vulnerable software versionsIBM Cognos Business Intelligence Server: 10.2 - 10.2.2
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
20) Security restrictions bypass
EUVDB-ID: #VU11954
Risk: Low
CVSSv3.1: 3.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-2800
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.
The weakness exists in the Java SE, JRockit component of Oracle Java SE due to improper security restrictions. A remote attacker can trick the victim into opening a specially crafted file, update, insert or delete some of Java SE, JRockit accessible data and gain unauthorized read access to a subset of Java SE, JRockit accessible data.
Install update from vendor's website.
Vulnerable software versionsIBM Cognos Business Intelligence Server: 10.2 - 10.2.2
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
21) Security restrictions bypass
EUVDB-ID: #VU11949
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-2795
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.
The weakness exists in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE due to improper security restrictions. A remote attacker can partially cause the service to crash.
Install update from vendor's website.
Vulnerable software versionsIBM Cognos Business Intelligence Server: 10.2 - 10.2.2
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
22) Security restrictions bypass
EUVDB-ID: #VU11950
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-2796
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.
The weakness exists in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE due to improper security restrictions. A remote attacker can partially cause the service to crash.
Install update from vendor's website.
Vulnerable software versionsIBM Cognos Business Intelligence Server: 10.2 - 10.2.2
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
23) Security restrictions bypass
EUVDB-ID: #VU11951
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-2797
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.
The weakness exists in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE due to improper security restrictions. A remote attacker can partially cause the service to crash.
Install update from vendor's website.
Vulnerable software versionsIBM Cognos Business Intelligence Server: 10.2 - 10.2.2
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
24) Security restrictions bypass
EUVDB-ID: #VU11952
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-2798
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.
The weakness exists in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE due to improper security restrictions. A remote attacker can partially cause the service to crash.
Install update from vendor's website.
Vulnerable software versionsIBM Cognos Business Intelligence Server: 10.2 - 10.2.2
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
25) Security restrictions bypass
EUVDB-ID: #VU11953
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-2799
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.
The weakness exists in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE due to improper security restrictions. A remote attacker can partially cause the service to crash.
Install update from vendor's website.
Vulnerable software versionsIBM Cognos Business Intelligence Server: 10.2 - 10.2.2
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
26) Security restrictions bypass
EUVDB-ID: #VU11946
Risk: Low
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-2783
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.
The weakness exists in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE due to improper security restrictions. A remote attacker can create, delete or modify critical data or all Java SE, Java SE Embedded, JRockit accessible data and gain unauthorized access to critical data or complete access to all Java SE, Java SE Embedded, JRockit accessible data.
Install update from vendor's website.
Vulnerable software versionsIBM Cognos Business Intelligence Server: 10.2 - 10.2.2
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
27) Security restrictions bypass
EUVDB-ID: #VU11957
Risk: High
CVSSv3.1: 7.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-2814
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to execute arbitrary code on the target system.
The weakness exists in the Java SE, Java SE Embedded component of Oracle Java SE due to improper security restrictions. A remote attacker can trick the victim into opening a specially crafted file and execute arbitrary code.
Successful exploitation of the vulnerability may result in system compromise.
Install update from vendor's website.
Vulnerable software versionsIBM Cognos Business Intelligence Server: 10.2 - 10.2.2
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
28) Security restrictions bypass
EUVDB-ID: #VU11947
Risk: Low
CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-2790
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to write arbitrary files on the target system.
The weakness exists in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE due to improper security restrictions. A remote attacker can trick the victim into opening a specially crafted file and update, insert or delete some of Java SE, Java SE Embedded accessible data.
Install update from vendor's website.
Vulnerable software versionsIBM Cognos Business Intelligence Server: 10.2 - 10.2.2
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
