CVE-2018-1842 — Improper Verification of Cryptographic Signature in IBM Cognos Analytics

CWE-347 — Improper Verification of Cryptographic Signature3 documents3 sources

Severity

3.6LOWNVD

EPSS

0.1%

top 78.40%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

IBM Cognos Analytics

Timeline

PublishedNov 9

Latest updateMay 13

Description

IBM Cognos Analytics 11 Configuration tool, under certain circumstances, will bypass OIDC namespace signature verification on its id_token. IBM X-Force ID: 150902.

CVSS vector

CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 1.0 | Impact: 2.5

Affected Packages2 packages

▶NVDibm/cognos_analytics11.0.0.0 — 11.0.12.0

▶CVEListV5ibm/cognos_analytics11

Patches

Patch: www.ibm.com ↗Patch: www.ibm.com ↗

🔴Vulnerability Details

GHSA

GHSA-72r8-vmj4-cfrp: IBM Cognos Analytics 11 Configuration tool, under certain circumstances, will bypass OIDC namespace signature verification on its id_token↗2022-05-13

▶

CVEList

CVE-2018-1842: IBM Cognos Analytics 11 Configuration tool, under certain circumstances, will bypass OIDC namespace signature verification on its id_token↗2018-11-09

▶