IBM Cognos Analytics Vulnerability Advisory: CVE-2023-29032, XSS, and Source Code Disclosure

Critical Vulnerability Information Vulnerability Details CVE-2024-3651 - Description: IDna may allow local users to invoke the function with specially crafted parameters, leading to service crashes and resource exhaustion. - CVSS Score: 6.2 - CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVE-2024-36847 - Description: A flaw was found in libxml2 versions 2.11.7 and 2.12.x prior to 2.12.5. When using the XML Reader interface with DTD validation and XInclude extensions enabled, processing specially crafted XML documents may result in a use-after-free in . - CVSS Score: 7.5 - CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVE-2023-29032 - Description: IBM Cognos Analytics allows authenticated users to exhaust memory resources by sending specially crafted requests, leading to service disruption. - CVSS Score: 6.5 - CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) CVE-2024-3683 - Description: OpenSSH has a vulnerability that may lead to service disruption, caused by improper input validation in or functions. Remote attackers can exploit this by parsing specially crafted DSA public keys or UBI parameters, causing long delays and service interruption. - CVSS Score: 5.9 - CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) CVE-2023-3997 - Description: IBM Cognos Analytics is vulnerable to stored cross-site scripting (XSS). This vulnerability allows authenticated users to inject arbitrary JavaScript code into the Web UI, potentially abusing intended functionality and leading to credential leakage within trusted sessions. - CVSS Score: 5.9 - CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N) CVE-2023-0923 - Description: IBM Cognos Analytics stores source code on the web server, which may assist in further attacks against the system. - CVSS Score: 5.3 - CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) CVE-2023-3968 - Description: Node.js is vulnerable to two regular expression denial-of-service (ReDoS) flaws in Math.random(). Remote attackers can exploit this by sending specially crafted requests, leading to service disruption. - CVSS Score: 5.3 - CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) Affected Products and Versions Affected Products and Versions: - IBM Cognos Analytics 12.0.0 - 12.0.4 - IBM Cognos Analytics 11.2.0 - 11.2.4 IF3 Remediation Affected Products and Fixed Versions: - IBM Cognos Analytics 12.0.0 - 12.0.4 FP4 - IBM Cognos Analytics 11.2.0 - 11.2.4 IF3 Fix Pack 1

Goal Reached Thanks to every supporter — we hit 100%!

IBM Cognos Analytics Vulnerability Advisory: CVE-2023-29032, XSS, and Source Code Disclosure