CVE-2022-22364 - Vulnerability Details - OpenCVE

IBM Cognos Controller 10.4.1, 10.4.2, and 11.0.0 is vulnerable to external service interaction attack, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to induce the application to perform server-side DNS lookups or HTTP requests to arbitrary domain names. By submitting suitable payloads, an attacker can cause the application server to attack other systems that it can interact with. IBM X-Force ID: 220903.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Ibm	Cognos Controller

Configuration 1 [-]

OR	cpe:2.3:a:ibm:cognos_controller:10.4.1:::::::*
	cpe:2.3:a:ibm:cognos_controller:10.4.2:::::::*
	cpe:2.3:a:ibm:cognos_controller:11.0.0:::::::*

No data.

References

Link	Providers
https://exchange.xforce.ibmcloud.com/vulnerabilities/220903
https://www.ibm.com/support/pages/node/7149876

History

Tue, 07 Jan 2025 20:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-290
CPEs		cpe:2.3:a:ibm:cognos_controller:10.4.1:::::::* cpe:2.3:a:ibm:cognos_controller:10.4.2:::::::*

MITRE

Status: PUBLISHED

Assigner: ibm

Published: 2024-05-03T18:14:34.420Z

Updated: 2024-08-03T03:14:55.079Z

Reserved: 2022-01-03T22:29:20.933Z

Link: CVE-2022-22364

Vulnrichment

Updated: 2024-05-06T20:55:34.479Z

NVD

Status : Analyzed

Published: 2024-05-03T19:15:07.263

Modified: 2025-01-07T20:16:36.033

Link: CVE-2022-22364

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-22364", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "state": "PUBLISHED", "assignerShortName": "ibm", "dateReserved": "2022-01-03T22:29:20.933Z", "datePublished": "2024-05-03T18:14:34.420Z", "dateUpdated": "2024-08-03T03:14:55.079Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Cognos Controller", "vendor": "IBM", "versions": [{"status": "affected", "version": "10.4.1, 10.4.2, 11.0.0"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "IBM Cognos Controller 10.4.1, 10.4.2, and 11.0.0 is vulnerable to external service interaction attack, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to induce the application to perform server-side DNS lookups or HTTP requests to arbitrary domain names. By submitting suitable payloads, an attacker can cause the application server to attack other systems that it can interact with. IBM X-Force ID: 220903."}], "value": "IBM Cognos Controller 10.4.1, 10.4.2, and 11.0.0 is vulnerable to external service interaction attack, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to induce the application to perform server-side DNS lookups or HTTP requests to arbitrary domain names. By submitting suitable payloads, an attacker can cause the application server to attack other systems that it can interact with. IBM X-Force ID: 220903."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-350", "description": "CWE-350 Reliance on Reverse DNS Resolution for a Security-Critical Action", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2024-05-03T18:14:34.420Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://www.ibm.com/support/pages/node/7149876"}, {"tags": ["vdb-entry"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/220903"}], "source": {"discovery": "UNKNOWN"}, "title": "IBM Cognos Controller security bypass", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-22364", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-06T20:54:09.681072Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:ibm:cognos_controller:10.4.0:*:*:*:*:*:*:*"], "vendor": "ibm", "product": "cognos_controller", "versions": [{"status": "affected", "version": "10.4.1", "versionType": "custom", "lessThanOrEqual": "10.4.2"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:ibm:cognos_controller:11.0.0:*:*:*:*:*:*:*"], "vendor": "ibm", "product": "cognos_controller", "versions": [{"status": "affected", "version": "11.0.0"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:16:32.227Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T03:14:55.079Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://www.ibm.com/support/pages/node/7149876"}, {"tags": ["vdb-entry", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/220903"}]}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-22364", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "state": "PUBLISHED", "assignerShortName": "ibm", "dateReserved": "2022-01-03T22:29:20.933Z", "datePublished": "2024-05-03T18:14:34.420Z", "dateUpdated": "2024-06-04T17:16:32.227Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Cognos Controller", "vendor": "IBM", "versions": [{"status": "affected", "version": "10.4.1, 10.4.2, 11.0.0"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "IBM Cognos Controller 10.4.1, 10.4.2, and 11.0.0 is vulnerable to external service interaction attack, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to induce the application to perform server-side DNS lookups or HTTP requests to arbitrary domain names. By submitting suitable payloads, an attacker can cause the application server to attack other systems that it can interact with. IBM X-Force ID: 220903."}], "value": "IBM Cognos Controller 10.4.1, 10.4.2, and 11.0.0 is vulnerable to external service interaction attack, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to induce the application to perform server-side DNS lookups or HTTP requests to arbitrary domain names. By submitting suitable payloads, an attacker can cause the application server to attack other systems that it can interact with. IBM X-Force ID: 220903."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-350", "description": "CWE-350 Reliance on Reverse DNS Resolution for a Security-Critical Action", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2024-05-03T18:14:34.420Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://www.ibm.com/support/pages/node/7149876"}, {"tags": ["vdb-entry"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/220903"}], "source": {"discovery": "UNKNOWN"}, "title": "IBM Cognos Controller security bypass", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-22364", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-06T20:54:09.681072Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:ibm:cognos_controller:10.4.0:*:*:*:*:*:*:*"], "vendor": "ibm", "product": "cognos_controller", "versions": [{"status": "affected", "version": "10.4.1", "versionType": "custom", "lessThanOrEqual": "10.4.2"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:ibm:cognos_controller:11.0.0:*:*:*:*:*:*:*"], "vendor": "ibm", "product": "cognos_controller", "versions": [{"status": "affected", "version": "11.0.0"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-06T20:55:34.479Z"}, "title": "CISA ADP Vulnrichment"}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ibm:cognos_controller:10.4.1:*:*:*:*:*:*:*", "matchCriteriaId": "04E5A9C3-0F44-40C1-B6B6-92839E386F56", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:cognos_controller:10.4.2:*:*:*:*:*:*:*", "matchCriteriaId": "7AA07D9A-71F7-446A-8A8E-DD8C357666F0", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:cognos_controller:11.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "4BB85020-BF02-4C91-B494-93FB19185006", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "IBM Cognos Controller 10.4.1, 10.4.2, and 11.0.0 is vulnerable to external service interaction attack, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to induce the application to perform server-side DNS lookups or HTTP requests to arbitrary domain names. By submitting suitable payloads, an attacker can cause the application server to attack other systems that it can interact with. IBM X-Force ID: 220903."}, {"lang": "es", "value": "IBM Cognos Controller 10.4.1, 10.4.2 y 11.0.0 es vulnerable a ataques de interacci\u00f3n de servicios externos, causados por una validaci\u00f3n inadecuada de la entrada proporcionada por el usuario. Un atacante remoto podr\u00eda aprovechar esta vulnerabilidad para inducir a la aplicaci\u00f3n a realizar b\u00fasquedas de DNS en el lado del servidor o solicitudes HTTP a nombres de dominio arbitrarios. Al enviar cargas \u00fatiles adecuadas, un atacante puede hacer que el servidor de aplicaciones ataque otros sistemas con los que puede interactuar. ID de IBM X-Force: 220903."}], "id": "CVE-2022-22364", "lastModified": "2025-01-07T20:16:36.033", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "psirt@us.ibm.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-05-03T19:15:07.263", "references": [{"source": "psirt@us.ibm.com", "tags": ["Vendor Advisory"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/220903"}, {"source": "psirt@us.ibm.com", "tags": ["Vendor Advisory"], "url": "https://www.ibm.com/support/pages/node/7149876"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/220903"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.ibm.com/support/pages/node/7149876"}], "sourceIdentifier": "psirt@us.ibm.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-350"}], "source": "psirt@us.ibm.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-290"}], "source": "nvd@nist.gov", "type": "Primary"}]}