IBM Cognos Analytics Security Vulnerability Allowed Unauthorized File Uploads

 IBM has issued a security bulletin addressing two newly discovered, high-severity vulnerabilities in its Cognos Analytics platform.

These flaws, tracked as CVE-2024-40695 (Malicious File Upload) and CVE-2024-51466 (Expression Language Injection), potentially expose enterprise systems to unauthorized file uploads and the risk of sensitive data exposure or denial-of-service attacks.

Details of the Vulnerabilities

Malicious File Upload (CVE-2024-40695)

This vulnerability arises due to insufficient validation of files uploaded through the Cognos Analytics web interface.

Privileged users can upload files with dangerous or executable content, which, when processed by the platform, may allow attackers to execute malicious code or conduct further attacks against unsuspecting users.

The flaw affects Cognos Analytics versions 12.0.0 to 12.0.4 and 11.2.0 to 11.2.4 FP4. It has a CVSS base score of 8.0, underscoring its high risk.

Expression Language Injection (CVE-2024-51466)

A more severe flaw, this issue enables remote attackers to inject arbitrary Expression Language (EL) statements.

When exploited, it can lead to sensitive data exposure, excessive memory consumption, and server crashes, causing significant disruption. Scored 9.0 on the CVSS scale, this vulnerability is considered critical.

Affected Products and Versions

• IBM Cognos Analytics 12.0.0 to 12.0.4
• IBM Cognos Analytics 11.2.0 to 11.2.4 FP4

IBM urges all customers to immediately update their software to the latest patched versions:

No temporary workarounds or mitigations are available-applying the vendor patch is the only solution.

Organizations using IBM Cognos Analytics should prioritize these updates to prevent unauthorized access and attack.

The vulnerabilities present a clear risk to the confidentiality, integrity, and availability of analytic systems and their underlying data.