CVE-2022-43883 : IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 could be vulnerable to a Log Inj

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 could be vulnerable to a Log Injection attack by constructing URLs from user-controlled data. This could enable attackers to make arbitrary requests to the internal network or to the local file system. IBM X-Force ID: 240266.

Published 2022-12-19 21:15:10

Updated 2022-12-23 20:09:33

Source IBM Corporation

View at NVD, CVE.org

Products affected by CVE-2022-43883

IBM » Cognos Analytics
Versions from including (>=) 11.1.0 and up to, including, (<=) 11.1.7
cpe:2.3:a:ibm:cognos_analytics:*:*:*:*:*:*:*:*
Matching versions
IBM » Cognos Analytics
Versions from including (>=) 11.2.0 and up to, including, (<=) 11.2.3
cpe:2.3:a:ibm:cognos_analytics:*:*:*:*:*:*:*:*
Matching versions
IBM » Cognos Analytics » Version: 11.1.7 Update Fixpack1
cpe:2.3:a:ibm:cognos_analytics:11.1.7:fixpack1:*:*:*:*:*:*
Matching versions
IBM » Cognos Analytics » Version: 11.1.7 Update Fixpack2
cpe:2.3:a:ibm:cognos_analytics:11.1.7:fixpack2:*:*:*:*:*:*
Matching versions
IBM » Cognos Analytics » Version: 11.1.7 Update Fixpack3
cpe:2.3:a:ibm:cognos_analytics:11.1.7:fixpack3:*:*:*:*:*:*
Matching versions
IBM » Cognos Analytics » Version: 11.1.7 Update Fixpack4
cpe:2.3:a:ibm:cognos_analytics:11.1.7:fixpack4:*:*:*:*:*:*
Matching versions
IBM » Cognos Analytics » Version: 11.1.7 Update Fixpack5
cpe:2.3:a:ibm:cognos_analytics:11.1.7:fixpack5:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-43883

EPSS FAQ

0.07%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 31 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-43883

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: High Availability: None
6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N	2.8	3.6	IBM Corporation
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: None Integrity: High Availability: None

CWE ids for CVE-2022-43883

CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2022-43883

https://exchange.xforce.ibmcloud.com/vulnerabilities/240266

VDB Entry;Vendor Advisory
https://www.ibm.com/support/pages/node/6841801

Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities (CVE-2021-29469, CVE-2022-39160, CVE-2022-38708, CVE-2022-42003, CVE-2022-42004, CVE-2022-43883, CVE-2022-43887, CVE-2022
Patch;Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2022-43883

Products affected by CVE-2022-43883

Exploit prediction scoring system (EPSS) score for CVE-2022-43883

CVSS scores for CVE-2022-43883

CWE ids for CVE-2022-43883

References for CVE-2022-43883