#VU98734 Insufficiently protected credentials in IBM Cognos Analytics and Cognos Analytics Reports for iOS


Published: 2024-10-16

Vulnerability identifier: #VU98734

Vulnerability risk: Low

CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-40703

CWE-ID: CWE-522

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
IBM Cognos Analytics
Client/Desktop applications / Office applications
Cognos Analytics Reports for iOS
Other software / Other software solutions

Vendor: IBM Corporation

Description

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. A local user can obtain sensitive information in the form of an API key.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

IBM Cognos Analytics: 11.2.0 - 12.0.3

Cognos Analytics Reports for iOS: 11.0.0.7

External links
http://www.ibm.com/support/pages/node/7160700
http://www.ibm.com/support/pages/node/7168038

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Insufficiently protected credentials in IBM Cognos Analytics
Insufficiently protected credentials in IBM Cognos Analytics Reports (iOS)