CVE-2024-51466 (CVSS 9.0): Critical Vulnerability Found in IBM Cognos Analytics
IBM has disclosed two severe vulnerabilities in its Cognos Analytics platform that could compromise sensitive data and system integrity. These vulnerabilities, identified as CVE-2024-51466 and CVE-2024-40695, highlight risks in business intelligence environments.
IBM Cognos Analytics, an integrated business intelligence suite, enables reporting, analytics, and monitoring for enterprise environments. It serves organizations globally with tools for decision-making and performance tracking. However, the platform’s popularity has made it a target for sophisticated attacks.
The vulnerabilities affect versions 12.0.0 through 12.0.4 and 11.2.0 through 11.2.4 FP4 of the software. IBM strongly advises users to upgrade to IBM Cognos Analytics 12.0.4 Interim Fix 1 or 11.2.4 FP5 to mitigate the risks.
- CVE-2024-51466: Expression Language Injection (CVSS 9.0)
The first vulnerability, an Expression Language (EL) Injection flaw, allows remote attackers to execute specially crafted EL statements. This can lead to the exposure of sensitive information, excessive memory consumption, and even server crashes.
IBM explains, “A remote attacker could exploit this vulnerability to expose sensitive information, consume memory resources, and/or cause the server to crash when using a specially crafted EL statement.” With a CVSS score of 9.0, this vulnerability is deemed critical.
- CVE-2024-40695: Malicious File Upload (CVSS 8.0)
The second vulnerability involves insufficient file validation in the web interface, enabling privileged users to upload malicious files. These files can then be executed, posing a threat to system integrity and potentially serving as a vector for further attacks.
IBM describes the flaw: “Attackers can make use of this weakness and upload malicious executable files into the system, and it can be sent to victim for performing further attacks.”
To address these vulnerabilities, IBM has released patches and strongly recommends immediate updates to affected systems. Unfortunately, no workarounds or mitigations are available for these issues, making timely remediation essential.
