CVE-2022-22308 — Inclusion of Functionality from Untrusted Control Sphere in IBM Planning Analytics

CWE-829 — Inclusion of Functionality from Untrusted Control Sphere CWE-77 — Command Injection3 documents3 sources

Severity

7.8HIGHNVD

EPSS

0.2%

top 62.47%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

IBM Planning Analytics IBM Planning Analytics Workspace

Timeline

PublishedFeb 21

Latest updateFeb 22

Description

IBM Planning Analytics 2.0 is vulnerable to a Remote File Include (RFI) attack. User input could be passed into file include commands and the web application could be tricked into including remote files with malicious code. IBM X-Force ID: 216891.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5ibm/planning_analytics2.0

▶NVDibm/planning_analytics2.0

▶CVEListV5ibm/planning_analytics_workspace2.0

Patches

Patch: www.ibm.com ↗Patch: www.ibm.com ↗

🔴Vulnerability Details

GHSA

GHSA-vq67-xx7v-6qmg: IBM Planning Analytics 2↗2022-02-22

▶

CVEList

CVE-2022-22308: IBM Planning Analytics 2↗2022-02-21

▶