CVE-2022-22364 : IBM Cognos Controller 10.4.1, 10.4.2, and 11.0.0 is vulnerable to external servi

IBM Cognos Controller 10.4.1, 10.4.2, and 11.0.0 is vulnerable to external service interaction attack, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to induce the application to perform server-side DNS lookups or HTTP requests to arbitrary domain names. By submitting suitable payloads, an attacker can cause the application server to attack other systems that it can interact with. IBM X-Force ID: 220903.

Published 2024-05-03 18:14:34

Updated 2025-01-07 20:16:36

Source IBM Corporation

View at NVD, CVE.org

Products affected by CVE-2022-22364

IBM » Cognos Controller » Version: 10.4.1
cpe:2.3:a:ibm:cognos_controller:10.4.1:*:*:*:*:*:*:*
Matching versions
IBM » Cognos Controller » Version: 10.4.2
cpe:2.3:a:ibm:cognos_controller:10.4.2:*:*:*:*:*:*:*
Matching versions
IBM » Cognos Controller » Version: 11.0.0
cpe:2.3:a:ibm:cognos_controller:11.0.0:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-22364

EPSS FAQ

0.07%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 18 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-22364

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N	3.9	1.4	NIST	2025-01-07
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: Low Availability: None
5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N	3.9	1.4	IBM Corporation	2024-05-03
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: Low Availability: None

CWE ids for CVE-2022-22364

CWE-290 Authentication Bypass by Spoofing

This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

Assigned by: nvd@nist.gov (Primary)
CWE-350 Reliance on Reverse DNS Resolution for a Security-Critical Action

The product performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address is truly associated with the hostname.

Assigned by: psirt@us.ibm.com (Secondary)

References for CVE-2022-22364

https://www.ibm.com/support/pages/node/7149876

Security Bulletin: IBM Controller has addressed multiple vulnerabilities
Vendor Advisory

CVEs referencing this url
https://exchange.xforce.ibmcloud.com/vulnerabilities/220903

IBM Cognos Controller security bypass CVE-2022-22364 Vulnerability Report
Vendor Advisory

Jump to

Vulnerability Details : CVE-2022-22364

Products affected by CVE-2022-22364

Exploit prediction scoring system (EPSS) score for CVE-2022-22364

CVSS scores for CVE-2022-22364

CWE ids for CVE-2022-22364

References for CVE-2022-22364