cvelistv5 - cve-2024-40691

CVE-2024-40691 (GCVE-0-2024-40691)

Vulnerability from cvelistv5 – Published: 2024-12-03 16:41 – Updated: 2024-12-03 19:10

Summary

IBM Cognos Controller 11.0.0 and 11.0.1 could be vulnerable to malicious file upload by not validating the content of the file uploaded to the web interface. Attackers can make use of this weakness and upload malicious executable files into the system, and it can be sent to victim for performing further attacks.

Severity ?

8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-434 - Unrestricted Upload of File with Dangerous Type

Assigner

ibm

References

URL

Tags

https://www.ibm.com/support/pages/node/7177220

Impacted products

	Vendor	Product	Version
	IBM	Cognos Controller	Affected: 11.0.0, 11.0.1 cpe:2.3:a:ibm:cognos_controller:11.0.0:::::::* cpe:2.3:a:ibm:cognos_controller:11.0.1:::::::*

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-40691",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-03T19:10:20.787413Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-03T19:10:40.681Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:ibm:cognos_controller:11.0.0:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:cognos_controller:11.0.1:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "product": "Cognos Controller",
          "vendor": "IBM",
          "versions": [
            {
              "status": "affected",
              "version": "11.0.0, 11.0.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIBM Cognos Controller 11.0.0 and 11.0.1 \n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ecould be vulnerable to malicious file upload by not validating the content of the file uploaded to the web interface. Attackers can make use of this weakness and upload malicious executable files into the system, and it can be sent to victim for performing further attacks.\u003c/span\u003e\n\n\u003c/span\u003e"
            }
          ],
          "value": "IBM Cognos Controller 11.0.0 and 11.0.1 \n\ncould be vulnerable to malicious file upload by not validating the content of the file uploaded to the web interface. Attackers can make use of this weakness and upload malicious executable files into the system, and it can be sent to victim for performing further attacks."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-434",
              "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-03T16:41:37.813Z",
        "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "shortName": "ibm"
      },
      "references": [
        {
          "url": "https://www.ibm.com/support/pages/node/7177220"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "IBM Cognos Controller file upload",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
    "assignerShortName": "ibm",
    "cveId": "CVE-2024-40691",
    "datePublished": "2024-12-03T16:41:37.813Z",
    "dateReserved": "2024-07-08T19:31:03.051Z",
    "dateUpdated": "2024-12-03T19:10:40.681Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:ibm:cognos_controller:11.0.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"4BB85020-BF02-4C91-B494-93FB19185006\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:ibm:cognos_controller:11.0.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"14DFBD62-8263-4F2F-90C5-A4A508E43B79\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"IBM Cognos Controller 11.0.0 and 11.0.1 \\n\\ncould be vulnerable to malicious file upload by not validating the content of the file uploaded to the web interface. Attackers can make use of this weakness and upload malicious executable files into the system, and it can be sent to victim for performing further attacks.\"}, {\"lang\": \"es\", \"value\": \"IBM Cognos Controller 11.0.0 y 11.0.1 podr\\u00edan ser vulnerables a la carga de archivos maliciosos al no validar el contenido del archivo cargado en la interfaz web. Los atacantes pueden aprovechar esta debilidad y cargar archivos ejecutables maliciosos en el sistema, que pueden enviarse a la v\\u00edctima para realizar otros ataques.\"}]",
      "id": "CVE-2024-40691",
      "lastModified": "2024-12-11T03:29:39.627",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"psirt@us.ibm.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H\", \"baseScore\": 8.0, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.1, \"impactScore\": 5.9}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}]}",
      "published": "2024-12-03T17:15:11.037",
      "references": "[{\"url\": \"https://www.ibm.com/support/pages/node/7177220\", \"source\": \"psirt@us.ibm.com\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "psirt@us.ibm.com",
      "vulnStatus": "Analyzed",
      "weaknesses": "[{\"source\": \"psirt@us.ibm.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-434\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-40691\",\"sourceIdentifier\":\"psirt@us.ibm.com\",\"published\":\"2024-12-03T17:15:11.037\",\"lastModified\":\"2024-12-11T03:29:39.627\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"IBM Cognos Controller 11.0.0 and 11.0.1 \\n\\ncould be vulnerable to malicious file upload by not validating the content of the file uploaded to the web interface. Attackers can make use of this weakness and upload malicious executable files into the system, and it can be sent to victim for performing further attacks.\"},{\"lang\":\"es\",\"value\":\"IBM Cognos Controller 11.0.0 y 11.0.1 podr\u00edan ser vulnerables a la carga de archivos maliciosos al no validar el contenido del archivo cargado en la interfaz web. Los atacantes pueden aprovechar esta debilidad y cargar archivos ejecutables maliciosos en el sistema, que pueden enviarse a la v\u00edctima para realizar otros ataques.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"psirt@us.ibm.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":8.0,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.1,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"psirt@us.ibm.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-434\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cognos_controller:11.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4BB85020-BF02-4C91-B494-93FB19185006\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:cognos_controller:11.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"14DFBD62-8263-4F2F-90C5-A4A508E43B79\"}]}]}],\"references\":[{\"url\":\"https://www.ibm.com/support/pages/node/7177220\",\"source\":\"psirt@us.ibm.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-40691\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-12-03T19:10:20.787413Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-12-03T19:10:33.911Z\"}}], \"cna\": {\"title\": \"IBM Cognos Controller file upload\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:ibm:cognos_controller:11.0.0:*:*:*:*:*:*:*\", \"cpe:2.3:a:ibm:cognos_controller:11.0.1:*:*:*:*:*:*:*\"], \"vendor\": \"IBM\", \"product\": \"Cognos Controller\", \"versions\": [{\"status\": \"affected\", \"version\": \"11.0.0, 11.0.1\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://www.ibm.com/support/pages/node/7177220\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"IBM Cognos Controller 11.0.0 and 11.0.1 \\n\\ncould be vulnerable to malicious file upload by not validating the content of the file uploaded to the web interface. Attackers can make use of this weakness and upload malicious executable files into the system, and it can be sent to victim for performing further attacks.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eIBM Cognos Controller 11.0.0 and 11.0.1 \\n\\n\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003ecould be vulnerable to malicious file upload by not validating the content of the file uploaded to the web interface. Attackers can make use of this weakness and upload malicious executable files into the system, and it can be sent to victim for performing further attacks.\u003c/span\u003e\\n\\n\u003c/span\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-434\", \"description\": \"CWE-434 Unrestricted Upload of File with Dangerous Type\"}]}], \"providerMetadata\": {\"orgId\": \"9a959283-ebb5-44b6-b705-dcc2bbced522\", \"shortName\": \"ibm\", \"dateUpdated\": \"2024-12-03T16:41:37.813Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-40691\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-12-03T19:10:40.681Z\", \"dateReserved\": \"2024-07-08T19:31:03.051Z\", \"assignerOrgId\": \"9a959283-ebb5-44b6-b705-dcc2bbced522\", \"datePublished\": \"2024-12-03T16:41:37.813Z\", \"assignerShortName\": \"ibm\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

CERTFR-2024-AVI-1051

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et un déni de service à distance.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
IBM	VIOS	VIOS version 3.1 sans le correctif invscout_fix7.tar
IBM	AIX	AIX version 7.3 sans le correctif invscout_fix7.tar
IBM	Cognos Controller	Cognos Controller versions 11.0.x antérieures à 11.0.1 FP3
IBM	AIX	AIX version 7.2 sans le correctif invscout_fix7.tar
IBM	Sterling Partner Engagement Manager Essentials Edition	Sterling Partner Engagement Manager Essentials Edition versions 6.2.x antérieures à 6.2.2.2
IBM	QRadar Use Case Manager App	QRadar Use Case Manager App versions antérieures à 4.0.0
IBM	Sterling Partner Engagement Manager Essentials Edition	Sterling Partner Engagement Manager Essentials Edition versions 6.1.x antérieures à 6.1.2.10
IBM	Sterling Partner Engagement Manager Standard Edition	Sterling Partner Engagement Manager Standard Edition versions 6.1.x antérieures à 6.1.2.10
IBM	VIOS	VIOS version 4.1 sans le correctif invscout_fix7.tar
IBM	Sterling Partner Engagement Manager Standard Edition	Sterling Partner Engagement Manager Standard Edition versions 6.2.x antérieures à 6.2.3.2

References

Title

Publication Time

Tags

Bulletin de sécurité IBM 7178033	2024-12-05	vendor-advisory
Bulletin de sécurité IBM 7178054	2024-12-06	vendor-advisory
Bulletin de sécurité IBM 7177220	2024-12-02	vendor-advisory
Bulletin de sécurité IBM 7177981	2024-12-05	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "VIOS version 3.1 sans le correctif invscout_fix7.tar",
      "product": {
        "name": "VIOS",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "AIX version 7.3 sans le correctif invscout_fix7.tar",
      "product": {
        "name": "AIX",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Cognos Controller versions 11.0.x ant\u00e9rieures \u00e0 11.0.1 FP3",
      "product": {
        "name": "Cognos Controller",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "AIX version 7.2 sans le correctif invscout_fix7.tar",
      "product": {
        "name": "AIX",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Sterling Partner Engagement Manager Essentials Edition versions 6.2.x ant\u00e9rieures \u00e0 6.2.2.2",
      "product": {
        "name": "Sterling Partner Engagement Manager Essentials Edition",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "QRadar Use Case Manager App versions ant\u00e9rieures \u00e0 4.0.0",
      "product": {
        "name": "QRadar Use Case Manager App",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Sterling Partner Engagement Manager Essentials Edition versions 6.1.x ant\u00e9rieures \u00e0 6.1.2.10",
      "product": {
        "name": "Sterling Partner Engagement Manager Essentials Edition",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Sterling Partner Engagement Manager Standard Edition versions 6.1.x ant\u00e9rieures \u00e0 6.1.2.10",
      "product": {
        "name": "Sterling Partner Engagement Manager Standard Edition",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "VIOS version 4.1 sans le correctif invscout_fix7.tar",
      "product": {
        "name": "VIOS",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Sterling Partner Engagement Manager Standard Edition versions 6.2.x ant\u00e9rieures \u00e0 6.2.3.2",
      "product": {
        "name": "Sterling Partner Engagement Manager Standard Edition",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2024-20919",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-20919"
    },
    {
      "name": "CVE-2023-7104",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-7104"
    },
    {
      "name": "CVE-2023-21938",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21938"
    },
    {
      "name": "CVE-2023-21843",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21843"
    },
    {
      "name": "CVE-2024-47115",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-47115"
    },
    {
      "name": "CVE-2021-29425",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-29425"
    },
    {
      "name": "CVE-2022-32213",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32213"
    },
    {
      "name": "CVE-2021-22959",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22959"
    },
    {
      "name": "CVE-2023-38264",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-38264"
    },
    {
      "name": "CVE-2024-25020",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-25020"
    },
    {
      "name": "CVE-2024-28849",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-28849"
    },
    {
      "name": "CVE-2022-35256",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-35256"
    },
    {
      "name": "CVE-2023-21954",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21954"
    },
    {
      "name": "CVE-2023-21939",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21939"
    },
    {
      "name": "CVE-2024-20926",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-20926"
    },
    {
      "name": "CVE-2024-22353",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-22353"
    },
    {
      "name": "CVE-2024-41777",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-41777"
    },
    {
      "name": "CVE-2024-21890",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-21890"
    },
    {
      "name": "CVE-2024-21896",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-21896"
    },
    {
      "name": "CVE-2024-43799",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-43799"
    },
    {
      "name": "CVE-2021-36690",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-36690"
    },
    {
      "name": "CVE-2023-21830",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21830"
    },
    {
      "name": "CVE-2021-22940",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22940"
    },
    {
      "name": "CVE-2023-23936",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23936"
    },
    {
      "name": "CVE-2023-50312",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-50312"
    },
    {
      "name": "CVE-2021-22930",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22930"
    },
    {
      "name": "CVE-2024-25035",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-25035"
    },
    {
      "name": "CVE-2024-20921",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-20921"
    },
    {
      "name": "CVE-2023-38737",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-38737"
    },
    {
      "name": "CVE-2023-24807",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-24807"
    },
    {
      "name": "CVE-2023-44487",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-44487"
    },
    {
      "name": "CVE-2024-29857",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-29857"
    },
    {
      "name": "CVE-2021-22918",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22918"
    },
    {
      "name": "CVE-2023-22081",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-22081"
    },
    {
      "name": "CVE-2024-45590",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-45590"
    },
    {
      "name": "CVE-2021-23337",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-23337"
    },
    {
      "name": "CVE-2024-25026",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-25026"
    },
    {
      "name": "CVE-2021-22939",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22939"
    },
    {
      "name": "CVE-2021-44532",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-44532"
    },
    {
      "name": "CVE-2024-26308",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-26308"
    },
    {
      "name": "CVE-2022-0155",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-0155"
    },
    {
      "name": "CVE-2021-22960",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22960"
    },
    {
      "name": "CVE-2024-41776",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-41776"
    },
    {
      "name": "CVE-2024-30172",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-30172"
    },
    {
      "name": "CVE-2024-25019",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-25019"
    },
    {
      "name": "CVE-2022-32222",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32222"
    },
    {
      "name": "CVE-2023-22067",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-22067"
    },
    {
      "name": "CVE-2022-32212",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32212"
    },
    {
      "name": "CVE-2023-23920",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23920"
    },
    {
      "name": "CVE-2024-21634",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-21634"
    },
    {
      "name": "CVE-2023-23918",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23918"
    },
    {
      "name": "CVE-2024-21011",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-21011"
    },
    {
      "name": "CVE-2024-22329",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-22329"
    },
    {
      "name": "CVE-2021-22921",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22921"
    },
    {
      "name": "CVE-2022-0536",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-0536"
    },
    {
      "name": "CVE-2024-25710",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-25710"
    },
    {
      "name": "CVE-2021-29892",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-29892"
    },
    {
      "name": "CVE-2024-45676",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-45676"
    },
    {
      "name": "CVE-2023-49735",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-49735"
    },
    {
      "name": "CVE-2024-40691",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-40691"
    },
    {
      "name": "CVE-2024-21094",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-21094"
    },
    {
      "name": "CVE-2023-51775",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-51775"
    },
    {
      "name": "CVE-2023-21937",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21937"
    },
    {
      "name": "CVE-2024-27268",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-27268"
    },
    {
      "name": "CVE-2022-32215",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32215"
    },
    {
      "name": "CVE-2023-33850",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-33850"
    },
    {
      "name": "CVE-2023-2597",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-2597"
    },
    {
      "name": "CVE-2023-22045",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-22045"
    },
    {
      "name": "CVE-2024-41775",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-41775"
    },
    {
      "name": "CVE-2023-22049",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-22049"
    },
    {
      "name": "CVE-2023-23919",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23919"
    },
    {
      "name": "CVE-2020-28500",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-28500"
    },
    {
      "name": "CVE-2021-22931",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22931"
    },
    {
      "name": "CVE-2023-44483",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-44483"
    },
    {
      "name": "CVE-2021-44533",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-44533"
    },
    {
      "name": "CVE-2023-5676",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-5676"
    },
    {
      "name": "CVE-2022-35737",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-35737"
    },
    {
      "name": "CVE-2024-28863",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-28863"
    },
    {
      "name": "CVE-2020-8203",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-8203"
    },
    {
      "name": "CVE-2022-25857",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-25857"
    },
    {
      "name": "CVE-2024-27270",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-27270"
    },
    {
      "name": "CVE-2024-21891",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-21891"
    },
    {
      "name": "CVE-2023-21968",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21968"
    },
    {
      "name": "CVE-2022-32214",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32214"
    },
    {
      "name": "CVE-2024-39338",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-39338"
    },
    {
      "name": "CVE-2024-30171",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-30171"
    },
    {
      "name": "CVE-2022-21824",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-21824"
    },
    {
      "name": "CVE-2023-21930",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21930"
    },
    {
      "name": "CVE-2024-22017",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-22017"
    },
    {
      "name": "CVE-2023-24998",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-24998"
    },
    {
      "name": "CVE-2024-20918",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-20918"
    },
    {
      "name": "CVE-2022-35255",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-35255"
    },
    {
      "name": "CVE-2024-25036",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-25036"
    },
    {
      "name": "CVE-2024-21085",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-21085"
    },
    {
      "name": "CVE-2021-44531",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-44531"
    },
    {
      "name": "CVE-2024-20945",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-20945"
    },
    {
      "name": "CVE-2023-39332",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-39332"
    },
    {
      "name": "CVE-2024-22354",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-22354"
    },
    {
      "name": "CVE-2023-21967",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21967"
    },
    {
      "name": "CVE-2022-32223",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32223"
    },
    {
      "name": "CVE-2023-26159",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-26159"
    },
    {
      "name": "CVE-2024-20952",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-20952"
    }
  ],
  "links": [],
  "reference": "CERTFR-2024-AVI-1051",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2024-12-06T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    },
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
    },
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits IBM. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une \u00e9l\u00e9vation de privil\u00e8ges et un d\u00e9ni de service \u00e0 distance.",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
  "vendor_advisories": [
    {
      "published_at": "2024-12-05",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7178033",
      "url": "https://www.ibm.com/support/pages/node/7178033"
    },
    {
      "published_at": "2024-12-06",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7178054",
      "url": "https://www.ibm.com/support/pages/node/7178054"
    },
    {
      "published_at": "2024-12-02",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7177220",
      "url": "https://www.ibm.com/support/pages/node/7177220"
    },
    {
      "published_at": "2024-12-05",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7177981",
      "url": "https://www.ibm.com/support/pages/node/7177981"
    }
  ]
}

CERTFR-2024-AVI-1051

Vulnerability from certfr_avis - Published: - Updated:

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
IBM	VIOS	VIOS version 3.1 sans le correctif invscout_fix7.tar
IBM	AIX	AIX version 7.3 sans le correctif invscout_fix7.tar
IBM	Cognos Controller	Cognos Controller versions 11.0.x antérieures à 11.0.1 FP3
IBM	AIX	AIX version 7.2 sans le correctif invscout_fix7.tar
IBM	Sterling Partner Engagement Manager Essentials Edition	Sterling Partner Engagement Manager Essentials Edition versions 6.2.x antérieures à 6.2.2.2
IBM	QRadar Use Case Manager App	QRadar Use Case Manager App versions antérieures à 4.0.0
IBM	Sterling Partner Engagement Manager Essentials Edition	Sterling Partner Engagement Manager Essentials Edition versions 6.1.x antérieures à 6.1.2.10
IBM	Sterling Partner Engagement Manager Standard Edition	Sterling Partner Engagement Manager Standard Edition versions 6.1.x antérieures à 6.1.2.10
IBM	VIOS	VIOS version 4.1 sans le correctif invscout_fix7.tar
IBM	Sterling Partner Engagement Manager Standard Edition	Sterling Partner Engagement Manager Standard Edition versions 6.2.x antérieures à 6.2.3.2

References

Title

Publication Time

Tags

Bulletin de sécurité IBM 7178033	2024-12-05	vendor-advisory
Bulletin de sécurité IBM 7178054	2024-12-06	vendor-advisory
Bulletin de sécurité IBM 7177220	2024-12-02	vendor-advisory
Bulletin de sécurité IBM 7177981	2024-12-05	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "VIOS version 3.1 sans le correctif invscout_fix7.tar",
      "product": {
        "name": "VIOS",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "AIX version 7.3 sans le correctif invscout_fix7.tar",
      "product": {
        "name": "AIX",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Cognos Controller versions 11.0.x ant\u00e9rieures \u00e0 11.0.1 FP3",
      "product": {
        "name": "Cognos Controller",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "AIX version 7.2 sans le correctif invscout_fix7.tar",
      "product": {
        "name": "AIX",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Sterling Partner Engagement Manager Essentials Edition versions 6.2.x ant\u00e9rieures \u00e0 6.2.2.2",
      "product": {
        "name": "Sterling Partner Engagement Manager Essentials Edition",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "QRadar Use Case Manager App versions ant\u00e9rieures \u00e0 4.0.0",
      "product": {
        "name": "QRadar Use Case Manager App",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Sterling Partner Engagement Manager Essentials Edition versions 6.1.x ant\u00e9rieures \u00e0 6.1.2.10",
      "product": {
        "name": "Sterling Partner Engagement Manager Essentials Edition",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Sterling Partner Engagement Manager Standard Edition versions 6.1.x ant\u00e9rieures \u00e0 6.1.2.10",
      "product": {
        "name": "Sterling Partner Engagement Manager Standard Edition",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "VIOS version 4.1 sans le correctif invscout_fix7.tar",
      "product": {
        "name": "VIOS",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Sterling Partner Engagement Manager Standard Edition versions 6.2.x ant\u00e9rieures \u00e0 6.2.3.2",
      "product": {
        "name": "Sterling Partner Engagement Manager Standard Edition",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2024-20919",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-20919"
    },
    {
      "name": "CVE-2023-7104",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-7104"
    },
    {
      "name": "CVE-2023-21938",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21938"
    },
    {
      "name": "CVE-2023-21843",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21843"
    },
    {
      "name": "CVE-2024-47115",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-47115"
    },
    {
      "name": "CVE-2021-29425",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-29425"
    },
    {
      "name": "CVE-2022-32213",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32213"
    },
    {
      "name": "CVE-2021-22959",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22959"
    },
    {
      "name": "CVE-2023-38264",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-38264"
    },
    {
      "name": "CVE-2024-25020",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-25020"
    },
    {
      "name": "CVE-2024-28849",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-28849"
    },
    {
      "name": "CVE-2022-35256",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-35256"
    },
    {
      "name": "CVE-2023-21954",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21954"
    },
    {
      "name": "CVE-2023-21939",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21939"
    },
    {
      "name": "CVE-2024-20926",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-20926"
    },
    {
      "name": "CVE-2024-22353",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-22353"
    },
    {
      "name": "CVE-2024-41777",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-41777"
    },
    {
      "name": "CVE-2024-21890",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-21890"
    },
    {
      "name": "CVE-2024-21896",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-21896"
    },
    {
      "name": "CVE-2024-43799",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-43799"
    },
    {
      "name": "CVE-2021-36690",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-36690"
    },
    {
      "name": "CVE-2023-21830",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21830"
    },
    {
      "name": "CVE-2021-22940",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22940"
    },
    {
      "name": "CVE-2023-23936",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23936"
    },
    {
      "name": "CVE-2023-50312",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-50312"
    },
    {
      "name": "CVE-2021-22930",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22930"
    },
    {
      "name": "CVE-2024-25035",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-25035"
    },
    {
      "name": "CVE-2024-20921",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-20921"
    },
    {
      "name": "CVE-2023-38737",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-38737"
    },
    {
      "name": "CVE-2023-24807",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-24807"
    },
    {
      "name": "CVE-2023-44487",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-44487"
    },
    {
      "name": "CVE-2024-29857",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-29857"
    },
    {
      "name": "CVE-2021-22918",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22918"
    },
    {
      "name": "CVE-2023-22081",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-22081"
    },
    {
      "name": "CVE-2024-45590",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-45590"
    },
    {
      "name": "CVE-2021-23337",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-23337"
    },
    {
      "name": "CVE-2024-25026",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-25026"
    },
    {
      "name": "CVE-2021-22939",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22939"
    },
    {
      "name": "CVE-2021-44532",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-44532"
    },
    {
      "name": "CVE-2024-26308",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-26308"
    },
    {
      "name": "CVE-2022-0155",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-0155"
    },
    {
      "name": "CVE-2021-22960",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22960"
    },
    {
      "name": "CVE-2024-41776",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-41776"
    },
    {
      "name": "CVE-2024-30172",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-30172"
    },
    {
      "name": "CVE-2024-25019",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-25019"
    },
    {
      "name": "CVE-2022-32222",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32222"
    },
    {
      "name": "CVE-2023-22067",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-22067"
    },
    {
      "name": "CVE-2022-32212",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32212"
    },
    {
      "name": "CVE-2023-23920",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23920"
    },
    {
      "name": "CVE-2024-21634",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-21634"
    },
    {
      "name": "CVE-2023-23918",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23918"
    },
    {
      "name": "CVE-2024-21011",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-21011"
    },
    {
      "name": "CVE-2024-22329",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-22329"
    },
    {
      "name": "CVE-2021-22921",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22921"
    },
    {
      "name": "CVE-2022-0536",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-0536"
    },
    {
      "name": "CVE-2024-25710",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-25710"
    },
    {
      "name": "CVE-2021-29892",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-29892"
    },
    {
      "name": "CVE-2024-45676",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-45676"
    },
    {
      "name": "CVE-2023-49735",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-49735"
    },
    {
      "name": "CVE-2024-40691",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-40691"
    },
    {
      "name": "CVE-2024-21094",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-21094"
    },
    {
      "name": "CVE-2023-51775",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-51775"
    },
    {
      "name": "CVE-2023-21937",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21937"
    },
    {
      "name": "CVE-2024-27268",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-27268"
    },
    {
      "name": "CVE-2022-32215",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32215"
    },
    {
      "name": "CVE-2023-33850",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-33850"
    },
    {
      "name": "CVE-2023-2597",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-2597"
    },
    {
      "name": "CVE-2023-22045",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-22045"
    },
    {
      "name": "CVE-2024-41775",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-41775"
    },
    {
      "name": "CVE-2023-22049",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-22049"
    },
    {
      "name": "CVE-2023-23919",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23919"
    },
    {
      "name": "CVE-2020-28500",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-28500"
    },
    {
      "name": "CVE-2021-22931",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22931"
    },
    {
      "name": "CVE-2023-44483",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-44483"
    },
    {
      "name": "CVE-2021-44533",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-44533"
    },
    {
      "name": "CVE-2023-5676",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-5676"
    },
    {
      "name": "CVE-2022-35737",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-35737"
    },
    {
      "name": "CVE-2024-28863",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-28863"
    },
    {
      "name": "CVE-2020-8203",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-8203"
    },
    {
      "name": "CVE-2022-25857",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-25857"
    },
    {
      "name": "CVE-2024-27270",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-27270"
    },
    {
      "name": "CVE-2024-21891",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-21891"
    },
    {
      "name": "CVE-2023-21968",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21968"
    },
    {
      "name": "CVE-2022-32214",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32214"
    },
    {
      "name": "CVE-2024-39338",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-39338"
    },
    {
      "name": "CVE-2024-30171",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-30171"
    },
    {
      "name": "CVE-2022-21824",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-21824"
    },
    {
      "name": "CVE-2023-21930",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21930"
    },
    {
      "name": "CVE-2024-22017",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-22017"
    },
    {
      "name": "CVE-2023-24998",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-24998"
    },
    {
      "name": "CVE-2024-20918",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-20918"
    },
    {
      "name": "CVE-2022-35255",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-35255"
    },
    {
      "name": "CVE-2024-25036",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-25036"
    },
    {
      "name": "CVE-2024-21085",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-21085"
    },
    {
      "name": "CVE-2021-44531",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-44531"
    },
    {
      "name": "CVE-2024-20945",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-20945"
    },
    {
      "name": "CVE-2023-39332",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-39332"
    },
    {
      "name": "CVE-2024-22354",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-22354"
    },
    {
      "name": "CVE-2023-21967",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21967"
    },
    {
      "name": "CVE-2022-32223",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32223"
    },
    {
      "name": "CVE-2023-26159",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-26159"
    },
    {
      "name": "CVE-2024-20952",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-20952"
    }
  ],
  "links": [],
  "reference": "CERTFR-2024-AVI-1051",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2024-12-06T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    },
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
    },
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits IBM. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une \u00e9l\u00e9vation de privil\u00e8ges et un d\u00e9ni de service \u00e0 distance.",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
  "vendor_advisories": [
    {
      "published_at": "2024-12-05",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7178033",
      "url": "https://www.ibm.com/support/pages/node/7178033"
    },
    {
      "published_at": "2024-12-06",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7178054",
      "url": "https://www.ibm.com/support/pages/node/7178054"
    },
    {
      "published_at": "2024-12-02",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7177220",
      "url": "https://www.ibm.com/support/pages/node/7177220"
    },
    {
      "published_at": "2024-12-05",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7177981",
      "url": "https://www.ibm.com/support/pages/node/7177981"
    }
  ]
}

CNVD-2024-49171

Vulnerability from cnvd - Published: 2024-12-24

Title

IBM Cognos Controller文件上传漏洞（CNVD-2024-49171）

Description

IBM Cognos Controller是美国国际商业机器（IBM）公司的一套商业智能与计划解决方案。该产品具有流程自动化、财务审计控制、创建和管理财务报告等功能。 IBM Cognos Controller存在文件上传漏洞，攻击者可利用该漏洞上传恶意文件从而远程执行任意代码。

Severity

高

Patch Name

IBM Cognos Controller文件上传漏洞（CNVD-2024-49171）的补丁

Patch Description

IBM Cognos Controller是美国国际商业机器（IBM）公司的一套商业智能与计划解决方案。该产品具有流程自动化、财务审计控制、创建和管理财务报告等功能。 IBM Cognos Controller存在文件上传漏洞，攻击者可利用该漏洞上传恶意文件从而远程执行任意代码。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://www.ibm.com/support/pages/node/7177220

Reference

https://nvd.nist.gov/vuln/detail/CVE-2024-40691

Impacted products

Name
['IBM IBM Cognos Controller 11.0.0', 'IBM IBM Cognos Controller 11.0.1']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2024-40691",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2024-40691"
    }
  },
  "description": "IBM Cognos Controller\u662f\u7f8e\u56fd\u56fd\u9645\u5546\u4e1a\u673a\u5668\uff08IBM\uff09\u516c\u53f8\u7684\u4e00\u5957\u5546\u4e1a\u667a\u80fd\u4e0e\u8ba1\u5212\u89e3\u51b3\u65b9\u6848\u3002\u8be5\u4ea7\u54c1\u5177\u6709\u6d41\u7a0b\u81ea\u52a8\u5316\u3001\u8d22\u52a1\u5ba1\u8ba1\u63a7\u5236\u3001\u521b\u5efa\u548c\u7ba1\u7406\u8d22\u52a1\u62a5\u544a\u7b49\u529f\u80fd\u3002\n\nIBM Cognos Controller\u5b58\u5728\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u4e0a\u4f20\u6076\u610f\u6587\u4ef6\u4ece\u800c\u8fdc\u7a0b\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.ibm.com/support/pages/node/7177220",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2024-49171",
  "openTime": "2024-12-24",
  "patchDescription": "IBM Cognos Controller\u662f\u7f8e\u56fd\u56fd\u9645\u5546\u4e1a\u673a\u5668\uff08IBM\uff09\u516c\u53f8\u7684\u4e00\u5957\u5546\u4e1a\u667a\u80fd\u4e0e\u8ba1\u5212\u89e3\u51b3\u65b9\u6848\u3002\u8be5\u4ea7\u54c1\u5177\u6709\u6d41\u7a0b\u81ea\u52a8\u5316\u3001\u8d22\u52a1\u5ba1\u8ba1\u63a7\u5236\u3001\u521b\u5efa\u548c\u7ba1\u7406\u8d22\u52a1\u62a5\u544a\u7b49\u529f\u80fd\u3002\r\n\r\nIBM Cognos Controller\u5b58\u5728\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u4e0a\u4f20\u6076\u610f\u6587\u4ef6\u4ece\u800c\u8fdc\u7a0b\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "IBM Cognos Controller\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e\uff08CNVD-2024-49171\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "IBM IBM Cognos Controller 11.0.0",
      "IBM IBM Cognos Controller 11.0.1"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2024-40691",
  "serverity": "\u9ad8",
  "submitTime": "2024-12-06",
  "title": "IBM Cognos Controller\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e\uff08CNVD-2024-49171\uff09"
}

FKIE_CVE-2024-40691

Vulnerability from fkie_nvd - Published: 2024-12-03 17:15 - Updated: 2024-12-11 03:29

Severity ?

8.0 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

	URL	Tags
	psirt@us.ibm.com	https://www.ibm.com/support/pages/node/7177220	Vendor Advisory

Impacted products

	Vendor	Product	Version
	ibm	cognos_controller	11.0.0
	ibm	cognos_controller	11.0.1

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:ibm:cognos_controller:11.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "4BB85020-BF02-4C91-B494-93FB19185006",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:cognos_controller:11.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "14DFBD62-8263-4F2F-90C5-A4A508E43B79",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "IBM Cognos Controller 11.0.0 and 11.0.1 \n\ncould be vulnerable to malicious file upload by not validating the content of the file uploaded to the web interface. Attackers can make use of this weakness and upload malicious executable files into the system, and it can be sent to victim for performing further attacks."
    },
    {
      "lang": "es",
      "value": "IBM Cognos Controller 11.0.0 y 11.0.1 podr\u00edan ser vulnerables a la carga de archivos maliciosos al no validar el contenido del archivo cargado en la interfaz web. Los atacantes pueden aprovechar esta debilidad y cargar archivos ejecutables maliciosos en el sistema, que pueden enviarse a la v\u00edctima para realizar otros ataques."
    }
  ],
  "id": "CVE-2024-40691",
  "lastModified": "2024-12-11T03:29:39.627",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.0,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.1,
        "impactScore": 5.9,
        "source": "psirt@us.ibm.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-12-03T17:15:11.037",
  "references": [
    {
      "source": "psirt@us.ibm.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.ibm.com/support/pages/node/7177220"
    }
  ],
  "sourceIdentifier": "psirt@us.ibm.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-434"
        }
      ],
      "source": "psirt@us.ibm.com",
      "type": "Primary"
    }
  ]
}

GHSA-8X6F-X28R-PFQ4

Vulnerability from github – Published: 2024-12-03 18:31 – Updated: 2024-12-03 18:31

Details

IBM Cognos Controller 11.0.0 and 11.0.1

could be vulnerable to malicious file upload by not validating the content of the file uploaded to the web interface. Attackers can make use of this weakness and upload malicious executable files into the system, and it can be sent to victim for performing further attacks.

Severity ?

8.0 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2024-40691"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-434"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-03T17:15:11Z",
    "severity": "HIGH"
  },
  "details": "IBM Cognos Controller 11.0.0 and 11.0.1 \n\ncould be vulnerable to malicious file upload by not validating the content of the file uploaded to the web interface. Attackers can make use of this weakness and upload malicious executable files into the system, and it can be sent to victim for performing further attacks.",
  "id": "GHSA-8x6f-x28r-pfq4",
  "modified": "2024-12-03T18:31:04Z",
  "published": "2024-12-03T18:31:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40691"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7177220"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-40691 (GCVE-0-2024-40691)

CERTFR-2024-AVI-1051

Solutions

CERTFR-2024-AVI-1051

Solutions

CNVD-2024-49171

FKIE_CVE-2024-40691

GHSA-8X6F-X28R-PFQ4

Tags

Sightings

Nomenclature