CVE-2024-51466 CRITICAL

CVE-2024-51466: IBM Cognos Analytics expression language injection

Vendor Ibm
Product Cognos Analytics
Weakness CWE-917
Published December 20, 2024
Last update December 20, 2024

CVSS base score

9.0/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

IBM Cognos Analytics 11.2.0 through 11.2.4 FP4 and 12.0.0 through 12.0.4 is vulnerable to an Expression Language (EL) Injection vulnerability. A remote attacker could exploit this vulnerability to expose sensitive information, consume memory resources, and/or cause the server to crash when using a specially crafted EL statement.

Key dates

02Disclosure timeline

December 20, 2024 CVE published
December 20, 2024 Record updated