CVE-2022-22364
IBM Cognos Controller security bypass
In short
IBM Cognos Controller fails to properly validate user input, allowing attackers to trick the application into making DNS lookups and HTTP requests to arbitrary websites. This can be used to attack other systems that the application server can reach.
Technical detail
CWE-350 vulnerability enabling Server-Side Request Forgery (SSRF) through improper input validation in affected versions (10.4.1, 10.4.2, 11.0.0). Remote attacker can supply crafted payloads causing the application to perform unintended DNS queries and HTTP requests to arbitrary domains, potentially enabling lateral network attacks from the application server's network context.
Summary generated and translated by AI from the official description.
IBM Cognos Controller 10.4.1, 10.4.2, and 11.0.0 is vulnerable to external service interaction attack, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to induce the application to perform server-side DNS lookups or HTTP requests to arbitrary domain names. By submitting suitable payloads, an attacker can cause the application server to attack other systems that it can interact with. IBM X-Force ID: 220903.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Affected products
IBM · Cognos ControllerWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →