Platform
ibm
Component
cognos-controller
Fixed in
10.3.2
10.3.1
10.4.1
10.4.2
CVE-2019-4171 describes a vulnerability in IBM Cognos Controller affecting versions 10.3.0 through 10.4.1. This issue stems from the lack of secure attributes on authorization tokens and session cookies, potentially enabling man-in-the-middle attacks. Successful exploitation could lead to unauthorized access to sensitive information. A fix is available in version 10.4.2.
The primary impact of CVE-2019-4171 is the potential for unauthorized information disclosure. An attacker positioned between a user and the Cognos Controller server could intercept and potentially manipulate authorization tokens or session cookies. This allows the attacker to impersonate the user and access data they are not authorized to view. While the CVSS score is LOW, the potential for sensitive data exposure, particularly within a business intelligence context, warrants prompt remediation. This vulnerability shares similarities with other cookie-related security flaws where improper handling of session identifiers can lead to account takeover.
CVE-2019-4171 was publicly disclosed on September 17, 2019. There is no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. The LOW CVSS score suggests a relatively low probability of exploitation, but the potential impact of data exposure remains a concern.
Exploit Status
EPSS
0.18% (40% percentile)
CVSS Vector
The recommended mitigation for CVE-2019-4171 is to upgrade to IBM Cognos Controller version 10.4.2 or later, which includes the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing network segmentation to limit access to the Cognos Controller server. Additionally, enforce strict transport layer security (HTTPS) to encrypt communication between clients and the server, making it more difficult for attackers to intercept traffic. Regularly review and audit Cognos Controller configurations to ensure adherence to security best practices.
Actualice IBM Cognos Controller a una versión que haya solucionado esta vulnerabilidad. Consulte el boletín de seguridad de IBM para obtener más información y las versiones corregidas.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2019-4171 is a vulnerability in IBM Cognos Controller versions 10.3.0-10.4.1 where authorization tokens lack secure attributes, enabling man-in-the-middle attacks and potential data exposure.
If you are using IBM Cognos Controller versions 10.3.0, 10.3.1, 10.4.0, or 10.4.1, you are potentially affected by this vulnerability.
Upgrade to IBM Cognos Controller version 10.4.2 or later to remediate the vulnerability. Consider network segmentation and HTTPS enforcement as interim measures.
There is currently no evidence of active exploitation campaigns targeting CVE-2019-4171.
Refer to the IBM Security Bulletin for details: https://www.ibm.com/support/kbdoc/firstdoc/security/psirt158876
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.