IBM Cognos Analytics Vulnerability Let Attackers Upload Malicious Files
IBM has issued a critical security advisory warning of two high-severity vulnerabilities affecting its Cognos Analytics platform that could allow attackers to upload malicious files and execute code on affected systems.
The vulnerabilities, identified as CVE-2024-40695 and CVE-2024-51466, affect multiple versions of the popular business intelligence solution and require immediate patching.
Significant Vulnerabilities in IBM Cognos Analytics
The first vulnerability (CVE-2024-40695) involves a malicious file upload flaw with a CVSS base score of 8.0, categorized under CWE-434 (Unrestricted Upload of File with Dangerous Type).
This security issue stems from IBM Cognos Analytics failing to properly validate the content of files uploaded through its web interface.
A privileged user could exploit this weakness to upload malicious executable files that can be automatically processed within the product, potentially leading to further attacks when sent to victims.
“Attackers can make use of this weakness and upload malicious executable files into the system, and it can be sent to the victim for performing further attacks,” IBM stated in its security bulletin.
The vulnerability vector is classified as CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H, indicating network-based attack vectors with potentially severe consequences.
The second vulnerability (CVE-2024-51466) is an Expression Language (EL) Injection vulnerability with an even higher CVSS base score of 9.0, classified under CWE-917.
This vulnerability allows remote attackers to exploit improperly neutralized special elements in Expression Language statements without requiring user interaction or prior authentication.
“A remote attacker could exploit this vulnerability to expose sensitive information, consume memory resources, and/or cause the server to crash when using a specially crafted EL statement,” according to the IBM advisory.
The Expression Language Injection vulnerability (CVE-2024-51466) was reported to IBM by Vivek Singh from the Application Security Team at eClinicalWorks.
| CVEs | Affected Products | Impact | Exploit Prerequisites | CVSS 3.1 Score |
| CVE-2024-40695 | IBM Cognos Analytics 12.0.0–12.0.4, 11.2.0–11.2.4 FP4 | Malicious file upload enabling code execution or further attacks | Privileged user access and user interaction | 8.0 (High) |
| CVE-2024-51466 | IBM Cognos Analytics 12.0.0–12.0.4, 11.2.0–11.2.4 FP4 | EL injection leading to data exposure, resource exhaustion, or server crashes | Remote attacker without authentication | 9.0 (Critical) |
Affected Versions and Remediation
The vulnerabilities impact IBM Cognos Analytics versions 11.2.0 through 11.2.4 FP4 and 12.0.0 through 12.0.4.
IBM strongly recommends that organizations upgrade immediately to address these vulnerabilities, as no workarounds or alternative mitigations are available. The recommended remediation paths are:
- For IBM Cognos Analytics 12.0.0-12.0.4: Upgrade to 12.0.4 Interim Fix 1.
- For IBM Cognos Analytics 11.2.0-11.2.4 FP4: Upgrade to 11.2.4 FP5.
The vulnerability scanner Nessus provides a plugin (ID 213474) to help security teams determine if their environments are affected.
This discovery highlights the ongoing security challenges facing enterprise business intelligence platforms that process and analyze sensitive corporate data.
Organizations using IBM Cognos Analytics should prioritize these patches as part of their security maintenance protocols to prevent potential data breaches and system compromises from these high-severity flaws.
