SB2025030424 - Multiple vulnerabilities in IBM Cognos Dashboards on Cloud Pak for Data

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025030424

SB2025030424 - Multiple vulnerabilities in IBM Cognos Dashboards on Cloud Pak for Data

Published: March 4, 2025 Updated: September 5, 2025

Security Bulletin ID SB2025030424
Severity
High
Patch available
YES
Number of vulnerabilities 15
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 13% Medium 73% Low 13%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 15 secuirty vulnerabilities.


1) Asymmetric Resource Consumption (Amplification) (CVE-ID: CVE-2024-45590)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper handling of a large number of requests when url encoding is enabled. A remote attacker can send multiple requests to the server and perform a denial of service (DoS) attack.


2) Improper error handling (CVE-ID: CVE-2024-21536)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to an UnhandledPromiseRejection error thrown by micromatch. A remote non-authenticated attacker can send specially crafted request to the application and crash the Node.js process.


3) Incorrect Regular Expression (CVE-ID: CVE-2024-21538)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.


4) Deserialization of Untrusted Data (CVE-ID: CVE-2023-39410)

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to reader can consume memory beyond the allowed constraints and thus lead to out of memory on the system, when deserializing untrusted or corrupted data. A remote attacker can pass specially crafted data to the application and perform a denial of service attack.


5) Input validation error (CVE-ID: CVE-2024-47561)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to insufficient validation of user-supplied input when parsing schema in Java SDK. A remote attacker can pass specially crafted schema to the application and execute arbitrary code on the system.


6) Improper verification of cryptographic signature (CVE-ID: CVE-2024-48948)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to incorrect validation of valid signatures if the hash contains at least four leading 0 bytes and when the order of the elliptic curve's base point is smaller than the hash, because of an _truncateToN anomaly. Such behavior leads to valid signatures being rejected.


7) Incorrect Regular Expression (CVE-ID: CVE-2021-27290)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to incorrect processing of SRIs. A remote attacker can pass specially crafted input to the application and perform regular expression denial of service (ReDoS) attack.


8) Incorrect Regular Expression (CVE-ID: CVE-2024-6232)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of .tar archives when processing it with regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.


9) Cross-site scripting (CVE-ID: CVE-2024-43800)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


10) Resource exhaustion (CVE-ID: CVE-2021-44906)

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trick the library into adding or modifying the properties of Object.prototype, using a constructor or __proto__ payload, resulting in prototype pollution and loss of confidentiality, availability, and integrity.


11) Prototype pollution (CVE-ID: CVE-2020-7598)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can inject and execute arbitrary script code.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


12) Resource exhaustion (CVE-ID: CVE-2024-47554)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when handling untrusted input passed to the org.apache.commons.io.input.XmlStreamReader class. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


13) Use of insufficiently random values (CVE-ID: CVE-2025-22150)

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to the application uses "Math.random()" from the fetch() function to choose the boundary for a "multipart/form-data" request. A remote attacker with ability to intercept traffic can tamper with the requests going to the backend APIs.


14) Out-of-bounds read (CVE-ID: CVE-2022-48554)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary condition within the file_copystr() function in funcs.c. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger an out-of-bounds read error and crash the application.


15) Input validation error (CVE-ID: CVE-2024-50602)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input within the XML_ResumeParser function. A remote attacker can pass specially crafted XML input to the application and perform a denial of service (DoS) attack.


Remediation

Install update from vendor's website.

References