CVE-2021-20451 - Vulnerability Details - OpenCVE

IBM Cognos Controller 10.4.1, 10.4.2, and 11.0.0 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 196643.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Ibm	Cognos Controller

Configuration 1 [-]

OR	cpe:2.3:a:ibm:cognos_controller:10.4.1:::::::*
	cpe:2.3:a:ibm:cognos_controller:10.4.2:::::::*
	cpe:2.3:a:ibm:cognos_controller:11.0.0:::::::*

No data.

References

Link	Providers
https://exchange.xforce.ibmcloud.com/vulnerabilities/196643
https://www.ibm.com/support/pages/node/7149876

History

Tue, 07 Jan 2025 19:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Ibm Ibm cognos Controller
CPEs		cpe:2.3:a:ibm:cognos_controller:10.4.1:::::::* cpe:2.3:a:ibm:cognos_controller:10.4.2:::::::* cpe:2.3:a:ibm:cognos_controller:11.0.0:::::::*
Vendors & Products		Ibm Ibm cognos Controller

MITRE

Status: PUBLISHED

Assigner: ibm

Published: 2024-05-03T18:16:24.867Z

Updated: 2024-08-03T17:37:24.306Z

Reserved: 2020-12-17T19:17:34.736Z

Link: CVE-2021-20451

Vulnrichment

Updated: 2024-08-03T17:37:24.306Z

NVD

Status : Analyzed

Published: 2024-05-03T19:15:07.063

Modified: 2025-01-07T19:25:37.353

Link: CVE-2021-20451

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2021-20451", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "state": "PUBLISHED", "assignerShortName": "ibm", "dateReserved": "2020-12-17T19:17:34.736Z", "datePublished": "2024-05-03T18:16:24.867Z", "dateUpdated": "2024-08-03T17:37:24.306Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Cognos Controller", "vendor": "IBM", "versions": [{"status": "affected", "version": "10.4.1, 10.4.2, 11.0.0"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "IBM Cognos Controller 10.4.1, 10.4.2, and 11.0.0 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 196643."}], "value": "IBM Cognos Controller 10.4.1, 10.4.2, and 11.0.0 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 196643."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2024-05-03T18:16:24.867Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://www.ibm.com/support/pages/node/7149876"}, {"tags": ["vdb-entry"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/196643"}], "source": {"discovery": "UNKNOWN"}, "title": "IBM Cognos Controller SQL injection", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-20451", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-10T20:41:06.165901Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:ibm:cognos_controller:10.4.1:*:*:*:*:*:*:*"], "vendor": "ibm", "product": "cognos_controller", "versions": [{"status": "affected", "version": "10.4.1"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:ibm:cognos_controller:10.4.2:*:*:*:*:*:*:*"], "vendor": "ibm", "product": "cognos_controller", "versions": [{"status": "affected", "version": "10.4.2"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:ibm:cognos_controller:11.0.0:*:*:*:*:*:*:*"], "vendor": "ibm", "product": "cognos_controller", "versions": [{"status": "affected", "version": "11.0.0"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:12:41.075Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T17:37:24.306Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://www.ibm.com/support/pages/node/7149876"}, {"tags": ["vdb-entry", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/196643"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.ibm.com/support/pages/node/7149876", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/196643", "tags": ["vdb-entry", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T17:37:24.306Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-20451", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-10T20:41:06.165901Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:ibm:cognos_controller:10.4.1:*:*:*:*:*:*:*"], "vendor": "ibm", "product": "cognos_controller", "versions": [{"status": "affected", "version": "10.4.1"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:ibm:cognos_controller:10.4.2:*:*:*:*:*:*:*"], "vendor": "ibm", "product": "cognos_controller", "versions": [{"status": "affected", "version": "10.4.2"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:ibm:cognos_controller:11.0.0:*:*:*:*:*:*:*"], "vendor": "ibm", "product": "cognos_controller", "versions": [{"status": "affected", "version": "11.0.0"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-10T20:43:54.581Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "IBM Cognos Controller SQL injection", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "IBM", "product": "Cognos Controller", "versions": [{"status": "affected", "version": "10.4.1, 10.4.2, 11.0.0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.ibm.com/support/pages/node/7149876", "tags": ["vendor-advisory"]}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/196643", "tags": ["vdb-entry"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "IBM Cognos Controller 10.4.1, 10.4.2, and 11.0.0 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 196643.", "supportingMedia": [{"type": "text/html", "value": "IBM Cognos Controller 10.4.1, 10.4.2, and 11.0.0 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 196643.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2024-05-03T18:16:24.867Z"}}}, "cveMetadata": {"cveId": "CVE-2021-20451", "state": "PUBLISHED", "dateUpdated": "2024-08-03T17:37:24.306Z", "dateReserved": "2020-12-17T19:17:34.736Z", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "datePublished": "2024-05-03T18:16:24.867Z", "assignerShortName": "ibm"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ibm:cognos_controller:10.4.1:*:*:*:*:*:*:*", "matchCriteriaId": "04E5A9C3-0F44-40C1-B6B6-92839E386F56", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:cognos_controller:10.4.2:*:*:*:*:*:*:*", "matchCriteriaId": "7AA07D9A-71F7-446A-8A8E-DD8C357666F0", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:cognos_controller:11.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "4BB85020-BF02-4C91-B494-93FB19185006", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "IBM Cognos Controller 10.4.1, 10.4.2, and 11.0.0 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 196643."}, {"lang": "es", "value": "IBM Cognos Controller 10.4.1, 10.4.2 y 11.0.0 es vulnerable a la inyecci\u00f3n SQL. Un atacante remoto podr\u00eda enviar declaraciones SQL especialmente dise\u00f1adas, que podr\u00edan permitirle ver, agregar, modificar o eliminar informaci\u00f3n en la base de datos back-end. ID de IBM X-Force: 196643."}], "id": "CVE-2021-20451", "lastModified": "2025-01-07T19:25:37.353", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 4.7, "source": "psirt@us.ibm.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-05-03T19:15:07.063", "references": [{"source": "psirt@us.ibm.com", "tags": ["Vendor Advisory"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/196643"}, {"source": "psirt@us.ibm.com", "tags": ["Vendor Advisory"], "url": "https://www.ibm.com/support/pages/node/7149876"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/196643"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.ibm.com/support/pages/node/7149876"}], "sourceIdentifier": "psirt@us.ibm.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "psirt@us.ibm.com", "type": "Secondary"}]}