CVE-2020-4685Improper Privilege Management in IBM Cognos Controller

CWE-269Improper Privilege Management3 documents3 sources
Severity
7.2HIGHNVD
EPSS
0.5%
top 33.09%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
IBM Cognos Controller
Timeline
PublishedNov 11
Latest updateMay 24

Description

A low level user of IBM Cognos Controller 10.3.0, 10.3.1, 10.4.0, 10.4.1, and 10.4.2 who has Administration rights to the server where the application is installed, can escalate their privilege from Low level to Super Admin and gain access to Create/Update/Delete any level of user in Cognos Controller. IBM X-Force ID: 186625.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages2 packages

CVEListV5ibm/cognos_controller5 versions+4
NVDibm/cognos_controller5 versions+4

Patches

Patch: www.ibm.comPatch: www.ibm.com

🔴Vulnerability Details

2
GHSA
GHSA-jv3x-w786-8ggq: A low level user of IBM Cognos Controller 102022-05-24
CVEList
CVE-2020-4685: A low level user of IBM Cognos Controller 102020-11-11
CVE-2020-4685 — Improper Privilege Management in IBM | cvebase