Nov 21, 2019 9:38 am EST
Categorized: High Severity
Share this post:
This bulletin addresses several security vulnerabilities that are fixed in IBM Cognos Controller 10.4.1 IF2, 10.4.0 IF5, 10.3.1 IF12 and 10.3.0 FP1 IF13.
A vulnerability exists in IBM Cognos Controller that could allow an authenticated user to obtain sensitive information due to easy to guess session identifier names.
IBM Cognos Controller stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history.
IBM Cognos Controller consumes Faster XML Jackson. A vulnerability exists in Faster XML Jackson-Databind that could be exploitable by an attacker.
Affected product(s) and affected version(s):
IBM Cognos Controller 10.4.1
IBM Cognos Controller 10.4.0
IBM Cognos Controller 10.3.1
IBM Cognos Controller 10.3.0
Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: https://www.ibm.com/support/pages/node/1086123