Vulnerability CVE-2018-1842


Published: 2018-11-08   Modified: 2018-11-09

Description:
IBM Cognos Analytics 11 Configuration tool, under certain circumstances, will bypass OIDC namespace signature verification on its id_token. IBM X-Force ID: 150902.

Type:

CWE-347

(Improper Verification of Cryptographic Signature)

Vendor: IBM
Product: Cognos analytics 
Version:
11.0.6
11.0.5
11.0.4.0
11.0.4
11.0.3.0
11.0.3
11.0.2.0
11.0.2
11.0.1.0
11.0.1
11.0.0.0

CVSS2 => (AV:L/AC:M/Au:N/C:P/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
3.3/10
4.9/10
3.4/10
Exploit range
Attack complexity
Authentication
Local
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
None

 References:
http://www.securitytracker.com/id/1042031
https://exchange.xforce.ibmcloud.com/vulnerabilities/150902
https://www.ibm.com/support/docview.wss?uid=ibm10738249

Related CVE
CVE-2018-1772
IBM SPSS Analytic Server 3.1.1.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a t...
CVE-2018-1969
IBM Security Identity Manager 6.0.0 allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment. IBM X-Force ID: 153750.
CVE-2018-1967
IBM Security Identity Manager 6.0.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within ...
CVE-2018-1956
IBM Security Identity Manager 6.0.0 does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. IBM X-Force ID: 153628.
CVE-2018-1993
IBM Spectrum Scale (GPFS) 4.1.1, 4.2.0, 4.2.1, 4.2.2, 4.2.3, and 5.0.0 where the use of Local Read Only Cache (LROC) is enabled may caused read operation on a file to return data from a different file. IBM X-Force ID: 154440.
CVE-2018-1932
IBM API Connect 5.0.0.0 through 5.0.8.4 is affected by a vulnerability in the role-based access control in the management server that could allow an authenticated user to obtain highly sensitive information. IBM X-Force ID: 153175.
CVE-2018-1951
IBM Publishing Engine 2.1.2, 6.0.5, and 6.0.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosu...
CVE-2018-1888
An untrusted search path vulnerability in IBM i Access for Windows versions 7.1 and earlier on Windows can allow arbitrary code execution via a Trojan horse DLL in the current working directory, related to use of the LoadLibrary function. IBM X-Force...

Copyright 2019, cxsecurity.com

 

Back to Top