IBM Support

Security Bulletin: IBM Controller is affected by vulnerabilities

Security Bulletin


Summary

There are vulnerabilities in Open-Source Software (OSS) components used by IBM Controller. Additionally, IBM Controller is vulnerable to cross site scripting (XSS) and server-side request forgery (SSRF) vulnerabilities. Please refer to the table in the Related Information section for vulnerability impact. This Security Bulletin relates only to the direct usage of third-party components by IBM Controller and not any nested dependencies within the product.

Vulnerability Details

CVEID:   CVE-2024-25037
DESCRIPTION:   IBM Cognos Controller could allow a remote attacker to obtain sensitive information when a stack trace is returned in the browser.
CWE:   CWE-209: Generation of Error Message Containing Sensitive Information
CVSS Source:   IBM X-Force
CVSS Base score:   4.3
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

CVEID:   CVE-2024-28778
DESCRIPTION:   IBM Cognos Controller is vulnerable to exposure of Artifactory API keys. This vulnerability allows users to publish code to private packages or repositories under the name of the organization.
CWE:   CWE-798: Use of Hard-coded Credentials
CVSS Source:   IBM X-Force
CVSS Base score:   6.5
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

CVEID:   CVE-2024-40702
DESCRIPTION:   IBM Controller could allow an unauthorized user to obtain valid tokens to gain access to protected resources due to improper certificate validation.
CWE:   CWE-295: Improper Certificate Validation
CVSS Source:   IBM X-Force
CVSS Base score:   8.2
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N)

CVEID:   CVE-2024-43796
DESCRIPTION:   expressjs express is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
CWE:   CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS Source:   IBM X-Force
CVSS Base score:   5
CVSS Vector:   (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L)

CVEID:   CVE-2024-29041
DESCRIPTION:   Express.js Express could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability. An attacker could exploit this vulnerability using a specially crafted URL to redirect a victim to arbitrary Web sites.
CWE:   CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
CVSS Source:   IBM X-Force
CVSS Base score:   6.1
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:   CVE-2024-39338
DESCRIPTION:   Axios is vulnerable to server-side request forgery, caused by a flaw with requests for path relative URLs get processed as protocol relative URLs. By sending a specially crafted request, an attacker could exploit this vulnerability to conduct SSRF attack.
CWE:   CWE-918: Server-Side Request Forgery (SSRF)
CVSS Source:   IBM X-Force
CVSS Base score:   7.5
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:   CVE-2021-20455
DESCRIPTION:   IBM Cognos Controller could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system.
CWE:   CWE-209: Generation of Error Message Containing Sensitive Information
CVSS Source:   IBM X-Force
CVSS Base score:   3.7
CVSS Vector:   (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:   CVE-2024-43800
DESCRIPTION:   expressjs serve-static is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
CWE:   CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS Source:   IBM X-Force
CVSS Base score:   5
CVSS Vector:   (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L)

CVEID:   CVE-2022-22363
DESCRIPTION:   IBM Cognos Controller Web could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system.
CWE:   CWE-209: Generation of Error Message Containing Sensitive Information
CVSS Source:   IBM X-Force
CVSS Base score:   4.3
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

IBM X-Force ID:   212371
DESCRIPTION:   express is vulnerable to HTTP response splitting attacks, caused by the failure to check for newline characters in the response.redirect function. A remote attacker could exploit this vulnerability to inject CRLF characters in to the HTTP response and cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning or cross-site scripting, and possibly obtain sensitive information.
CWE:   CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
CVSS Source:   IBM X-Force
CVSS Base score:   5.4
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Controller 11.1.0
IBM Cognos Controller 11.0.0 - 11.0.1

Remediation/Fixes

It is strongly recommended that you apply the most recent security updates:
    
Affected Product(s) Version(s) Fix
IBM Controller 11.1.0 Download IBM Controller 11.1.0.1 from Fix Central
IBM Cognos Controller 11.0.0 - 11.0.1  Download IBM Cognos Controller 11.0.1 FP3 from Fix Central


IBM Controller 11.1.0.1 and IBM Cognos Controller 11.0.1.3 are available for Cloud deployments. To schedule an upgrade to this release for either your non-production or production environment, log a support case at https://www.ibm.com/mysupport.

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

These definitions can be found on the following IBM PSIRT News page: https://www.ibm.com/support/pages/node/6610583

Affected: The software product contains code, which has a documented vulnerability. Based on currently available information, however, we believe that the issue is likely not exploitable. However, as a best practice and from an abundance of caution, we recommend customers update their systems as soon as practical. Vulnerabilities evolve, and a means of exploiting any issue may emerge at any time.

Vulnerable: The software product contains code, which has a documented vulnerability. Our analysis shows that the issue may be exploitable.

Affected/Vulnerable Products and Versions: As used in IBM Security Bulletins, this category is intended to be only products and versions that are supported by IBM, and have not passed their end-of-support or warranty date. Thus, not including a reference in a Security Bulletin to unsupported or extended-support products or versions does not indicate a determination by IBM that they are unaffected by the vulnerability. Additionally, including a reference to one or more unsupported versions in a Security Bulletin (including reference to "All" versions) does not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.
 

Dependency CVE Impact
Axios CVE-2024-39338 Vulnerable
express XFID: 212371 Vulnerable
expressjs express CVE-2024-43796 Vulnerable
CVE-2024-29041 Vulnerable
expressjs serve-static CVE-2024-43800 Vulnerable
Not dependency related CVE-2024-40702 Vulnerable
CVE-2024-25037 Vulnerable
CVE-2024-28778 Vulnerable
CVE-2022-22363 Vulnerable
CVE-2021-20455 Vulnerable

Acknowledgement

Change History

06 Jan 2025: Initial Publication

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

Document Location

Worldwide

[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSY853","label":"IBM Controller"},"Component":"","Platform":[{"code":"PF033","label":"Windows"}],"Version":"11.1.0","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}},{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SS9S6B","label":"IBM Cognos Controller"},"Component":"","Platform":[{"code":"PF033","label":"Windows"}],"Version":"11.0.1, 11.0.0","Edition":"All","Line of Business":{"code":"LOB76","label":"Data Platform"}}]

Document Information

Modified date:
14 April 2025

UID

ibm17179163

Page Feedback