Plataforma
ibm
Componente
cognos-controller
Corregido en
10.3.2
10.3.1
10.4.1
10.4.2
CVE-2019-4171 describes a vulnerability in IBM Cognos Controller affecting versions 10.3.0 through 10.4.1. This issue stems from the lack of secure attributes on authorization tokens and session cookies, potentially enabling man-in-the-middle attacks. Successful exploitation could lead to unauthorized access to sensitive information. A fix is available in version 10.4.2.
The primary impact of CVE-2019-4171 is the potential for unauthorized information disclosure. An attacker positioned between a user and the Cognos Controller server could intercept and potentially manipulate authorization tokens or session cookies. This allows the attacker to impersonate the user and access data they are not authorized to view. While the CVSS score is LOW, the potential for sensitive data exposure, particularly within a business intelligence context, warrants prompt remediation. This vulnerability shares similarities with other cookie-related security flaws where improper handling of session identifiers can lead to account takeover.
CVE-2019-4171 was publicly disclosed on September 17, 2019. There is no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. The LOW CVSS score suggests a relatively low probability of exploitation, but the potential impact of data exposure remains a concern.
Organizations utilizing IBM Cognos Controller in environments where network traffic is not adequately secured are at risk. This includes deployments with weak network segmentation, reliance on unencrypted communication channels (HTTP), and those with legacy configurations that may not enforce modern security standards. Shared hosting environments where multiple Cognos Controller instances reside on the same infrastructure are also potentially vulnerable.
disclosure
Estado del Exploit
EPSS
0.18% (40% percentil)
Vector CVSS
The recommended mitigation for CVE-2019-4171 is to upgrade to IBM Cognos Controller version 10.4.2 or later, which includes the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing network segmentation to limit access to the Cognos Controller server. Additionally, enforce strict transport layer security (HTTPS) to encrypt communication between clients and the server, making it more difficult for attackers to intercept traffic. Regularly review and audit Cognos Controller configurations to ensure adherence to security best practices.
Actualice IBM Cognos Controller a una versión que haya solucionado esta vulnerabilidad. Consulte el boletín de seguridad de IBM para obtener más información y las versiones corregidas.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2019-4171 is a vulnerability in IBM Cognos Controller versions 10.3.0-10.4.1 where authorization tokens lack secure attributes, enabling man-in-the-middle attacks and potential data exposure.
If you are using IBM Cognos Controller versions 10.3.0, 10.3.1, 10.4.0, or 10.4.1, you are potentially affected by this vulnerability.
Upgrade to IBM Cognos Controller version 10.4.2 or later to remediate the vulnerability. Consider network segmentation and HTTPS enforcement as interim measures.
There is currently no evidence of active exploitation campaigns targeting CVE-2019-4171.
Refer to the IBM Security Bulletin for details: https://www.ibm.com/support/kbdoc/firstdoc/security/psirt158876
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.