IBM has issued a security bulletin addressing two newly discovered, high-severity vulnerabilities in its Cognos Analytics platform.
These flaws, tracked as CVE-2024-40695 (Malicious File Upload) and CVE-2024-51466 (Expression Language Injection), potentially expose enterprise systems to unauthorized file uploads and the risk of sensitive data exposure or denial-of-service attacks.
| CVE ID | Description | Severity | CVSS Score | Affected Versions |
| CVE-2024-40695 | Malicious file upload via improper file validation | High | 8.0 | 12.0.0–12.0.4, 11.2.0–11.2.4 FP4 |
| CVE-2024-51466 | Expression Language (EL) Injection allows attackers to expose sensitive information and crash server | Critical | 9.0 | 12.0.0–12.0.4, 11.2.0–11.2.4 FP4 |
Details of the Vulnerabilities
Malicious File Upload (CVE-2024-40695)
.png
)
This vulnerability arises due to insufficient validation of files uploaded through the Cognos Analytics web interface.
Privileged users can upload files with dangerous or executable content, which, when processed by the platform, may allow attackers to execute malicious code or conduct further attacks against unsuspecting users.
The flaw affects Cognos Analytics versions 12.0.0 to 12.0.4 and 11.2.0 to 11.2.4 FP4. It has a CVSS base score of 8.0, underscoring its high risk.
Expression Language Injection (CVE-2024-51466)
A more severe flaw, this issue enables remote attackers to inject arbitrary Expression Language (EL) statements.
When exploited, it can lead to sensitive data exposure, excessive memory consumption, and server crashes, causing significant disruption. Scored 9.0 on the CVSS scale, this vulnerability is considered critical.
Affected Products and Versions
- IBM Cognos Analytics 12.0.0 to 12.0.4
- IBM Cognos Analytics 11.2.0 to 11.2.4 FP4
IBM urges all customers to immediately update their software to the latest patched versions:
| Product | Vulnerable Versions | Fixed Version |
| Cognos Analytics | 12.0.0–12.0.4 | 12.0.4 Interim Fix 1 |
| Cognos Analytics | 11.2.0–11.2.4 FP4 | 11.2.4 FP5 |
No temporary workarounds or mitigations are available-applying the vendor patch is the only solution.
Organizations using IBM Cognos Analytics should prioritize these updates to prevent unauthorized access and attack.
The vulnerabilities present a clear risk to the confidentiality, integrity, and availability of analytic systems and their underlying data.
Setting Up SOC Team? – Download Free Ultimate SIEM Pricing Guide (PDF) For Your SOC Team -> Free Download
