SB2024110830 - Multiple vulnerabilities in IBM Cognos Analytics
Published: November 8, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 30 secuirty vulnerabilities.
1) Covert Timing Channel (CVE-ID: CVE-2023-46809)
The vulnerability allows a remote attacker to perform Marvin attack.
The vulnerability exists due to a covert timing channel in the privateDecrypt() API of the crypto library. A remote attacker can perform a covert timing side-channel during PKCS#1 v1.5 padding error handling and decrypt captured RSA ciphertexts or forge signatures, especially in scenarios involving API endpoints processing Json Web Encryption messages.
2) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2024-22329)
The disclosed vulnerability allows a remote attacker to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.
Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.
3) Input validation error (CVE-ID: CVE-2024-22025)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input when handling brotli decoding. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
4) Improper Authorization (CVE-ID: CVE-2023-41900)
The vulnerability allows a remote user to bypass implemented security restrictions.
The vulnerability exists due to an error in the revocation process. If a Jetty OpenIdAuthenticator uses the optional nested LoginService, and that LoginService decides to revoke an already authenticated user, then the current request will still treat the user as authenticated.
5) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2023-40167)
The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.
The vulnerability exists due to improper validation of HTTP requests when handling the "+" character passed via the HTTP/1 header field. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.
Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.
6) Input validation error (CVE-ID: CVE-2023-36479)
The vulnerability allows a remote user to compromise the affected system.
The vulnerability exists due to insufficient validation of user-supplied input in org.eclipse.jetty.servlets.CGI Servlet when quoting a command before its execution. A remote user can force the application to execute arbitrary file on the server and potentially compromise the system.
7) Path traversal (CVE-ID: CVE-2024-21896)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences in Buffer.prototype.utf8Write. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.
8) Improper handling of exceptional conditions (CVE-ID: CVE-2024-21892)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to the way certain environment variables are handled by Node.js on Linux. A local user can use a specially crafted environment variable to escalate privileges on the system.
9) Use of a broken or risky cryptographic algorithm (CVE-ID: CVE-2023-50312)
The vulnerability allows an adjacent attacker to gain access to potentially sensitive information.
The vulnerability exists due to weaker than expected security for outbound TLS connections caused by a failure to honor user configuration. An adjacent attacker can gain unauthorized access to sensitive information on the system.
10) Improper Privilege Management (CVE-ID: CVE-2024-22017)
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid(). A local user can escalate privileges on the system.
11) Path traversal (CVE-ID: CVE-2024-21891)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.
12) Input validation error (CVE-ID: CVE-2024-22019)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input when processing HTTP requests with chunked encoding. A remote attacker can send specially crafted HTTP request to the server and perform a denial of service (DoS) attack.
13) Inconsistency between implementation and documented design (CVE-ID: CVE-2024-21890)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to improper handling of wildcards in --allow-fs-read and --allow-fs-write. A remote attacker can gain access to sensitive information.
14) Input validation error (CVE-ID: CVE-2023-38737)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can send a specially crafted HTTP request to the server and perform a denial of service (DoS) attack.
15) Arbitrary file upload (CVE-ID: CVE-2022-29622)
The vulnerability allows a remote attacker to execute arbitrary code on the system.
The vulnerability exists due to insufficient validation of file extension when uploading files. A remote attacker can upload and execute arbitrary file on the system.
16) Cross-site scripting (CVE-ID: CVE-2024-27270)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
17) Race condition (CVE-ID: CVE-2020-27216)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a race condition. On Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.
18) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2023-44483)
The vulnerability allows a remote user to gain access to sensitive information.
The vulnerability exists due to software stores sensitive information into log files when using the JSR 105 API. A remote user can obtain a private key when generating an XML Signature with debug level enabled.
19) Resource exhaustion (CVE-ID: CVE-2023-26048)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when processing multipart requests in request.getParameter(). A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
20) Input validation error (CVE-ID: CVE-2023-26049)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to insufficient input validation when parsing cookies. A remote attacker can send a specially crafted HTTP request with a cookie value that starts with a double quote and force the application to read the cookie string until it sees a closing quote. Such behavior can be used to exfiltrate sensitive values from other cookies.
21) Insufficient Session Expiration (CVE-ID: CVE-2021-34428)
The vulnerability allows an attacker to gain access to sensitive information.
The vulnerability exists due to insufficient session expiration issue. If an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated.
22) Cross-site scripting (CVE-ID: CVE-2019-10241)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
23) Session fixation attack (CVE-ID: CVE-2018-12538)
The vulnerability allows a remote attacker to a session fixation attack on a target system.
The vulnerability exists due to improper security restrictions when the FileSessionDataStore class is used for persistent storage of HTTP session details. A remote attacker can submit a partial session ID, delete other unmatched HTTP sessions from filesystem storage for the FileSessionDataStore class and hijack existing HTTP sessions or cause the service to crash.
24) Resource exhaustion (CVE-ID: CVE-2023-52428)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper validation of user requests by the PasswordBasedDecrypter (PBKDF2) component. A remote attacker can send a specially crafted request using a large JWE p2c header, trigger resource exhaustion and perform a denial of service (DoS) attack.
25) Input validation error (CVE-ID: CVE-2018-12545)
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory allocations required to handle changed settings.
26) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2024-29415)
The disclosed vulnerability allows a remote attacker to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input within the isPublic() function when handling certain IP addresses, such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.
Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.
Note, the vulnerability exists due to incomplete fix for #VU86944 (CVE-2023-42282).
27) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2023-42282)
The disclosed vulnerability allows a remote attacker to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input within the isPublic() function. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.
Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.
28) Input validation error (CVE-ID: CVE-2021-28169)
The vulnerability allows a remote attacker to gain access to sensitive information..
The vulnerability exists due to a double decoding issue when parsing URI with certain characters. A remote attacker can send requests to the ConcatServlet and WelcomeFilter and view contents of protected resources within the WEB-INF directory.
Example:
/concat?/%2557EB-INF/web.xml
29) Cross-site scripting (CVE-ID: CVE-2024-25042)
The disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote user can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
30) Resource exhaustion (CVE-ID: CVE-2023-51775)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion via large p2c (aka PBES2 Count) value and perform a denial of service (DoS) attack.
Remediation
Install update from vendor's website.