SB2023071326 - Multiple vulnerabilities in IBM Cognos Analytics
Published: July 13, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) OS Command Injection (CVE-ID: CVE-2020-7789)
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation. A remote unauthenticated attacker can pass specially crafted data to the application and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
2) Prototype pollution (CVE-ID: CVE-2020-7598)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can inject and execute arbitrary script code.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
3) Resource exhaustion (CVE-ID: CVE-2021-44906)
The vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trick the library into adding or modifying the properties of Object.prototype, using a constructor or __proto__ payload, resulting in prototype pollution and loss of confidentiality, availability, and integrity.
4) Improper Authentication (CVE-ID: CVE-2022-40664)
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error when forwarding or including requests via RequestDispatcher. A remote attacker can bypass authentication process and gain unauthorized access to the application.
Remediation
Install update from vendor's website.