CVE-2022-36773

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 233571.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://exchange.xforce.ibmcloud.com/vulnerabilities/233571	VDB Entry Vendor Advisory
https://security.netapp.com/advisory/ntap-20221014-0005/	Third Party Advisory
https://www.ibm.com/support/pages/node/6615285	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:ibm:cognos_analytics::::::::
	cpe:2.3:a:ibm:cognos_analytics::::::::
	cpe:2.3:a:ibm:cognos_analytics:11.1.7:-::::::
	cpe:2.3:a:ibm:cognos_analytics:11.1.7:fixpack1::::::
	cpe:2.3:a:ibm:cognos_analytics:11.1.7:fixpack2::::::
	cpe:2.3:a:ibm:cognos_analytics:11.1.7:fixpack3::::::
	cpe:2.3:a:ibm:cognos_analytics:11.1.7:fixpack4::::::

Configuration 2 (hide)

cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2022-09-01 19:15

Updated : 2022-11-03 19:04

NVD link : CVE-2022-36773

Mitre link : CVE-2022-36773

CVE.ORG link : CVE-2022-36773

JSON object : View

Products Affected

netapp

oncommand_insight

ibm

cognos_analytics

CWE

CWE-611

Improper Restriction of XML External Entity Reference

{"id": "CVE-2022-36773", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "psirt@us.ibm.com", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.2, "exploitabilityScore": 2.8}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.8}]}, "published": "2022-09-01T19:15:12.587", "references": [{"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/233571", "tags": ["VDB Entry", "Vendor Advisory"], "source": "psirt@us.ibm.com"}, {"url": "https://security.netapp.com/advisory/ntap-20221014-0005/", "tags": ["Third Party Advisory"], "source": "psirt@us.ibm.com"}, {"url": "https://www.ibm.com/support/pages/node/6615285", "tags": ["Patch", "Vendor Advisory"], "source": "psirt@us.ibm.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-611"}]}], "descriptions": [{"lang": "en", "value": "IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 233571."}, {"lang": "es", "value": "IBM Cognos Analytics versiones 11.1.7, 11.2.0 y 11.2.1 es vulnerable a un ataque de tipo XML External Entity Injection (XXE) cuando son procesados datos XML. Un atacante remoto podr\u00eda aprovechar esta vulnerabilidad para exponer informaci\u00f3n confidencial o consumir recursos de memoria. IBM X-Force ID: 233571"}], "lastModified": "2022-11-03T19:04:35.090", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ibm:cognos_analytics:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "89AC2F63-02F5-449F-A66C-24AAFA34ED98", "versionEndExcluding": "11.1.7", "versionStartIncluding": "11.1.0"}, {"criteria": "cpe:2.3:a:ibm:cognos_analytics:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "820F9237-E014-43DC-9AEB-9FA97FA52E5E", "versionEndExcluding": "11.2.3", "versionStartIncluding": "11.2.0"}, {"criteria": "cpe:2.3:a:ibm:cognos_analytics:11.1.7:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6680448A-C3B3-4FEE-A500-974681D3E731"}, {"criteria": "cpe:2.3:a:ibm:cognos_analytics:11.1.7:fixpack1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A2E66D31-A2CC-4F06-89D3-9A881EADE0FD"}, {"criteria": "cpe:2.3:a:ibm:cognos_analytics:11.1.7:fixpack2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A76630E7-2DEB-4992-A671-85729B80E46B"}, {"criteria": "cpe:2.3:a:ibm:cognos_analytics:11.1.7:fixpack3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "38BDC609-EA7D-4C15-868A-EC8D8FFD3AF9"}, {"criteria": "cpe:2.3:a:ibm:cognos_analytics:11.1.7:fixpack4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BCF5213D-4BB1-4109-8B1B-5CA129819692"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F1BE6C1F-2565-4E97-92AA-16563E5660A5"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@us.ibm.com"}