CVE-2024-25034
Published: 24 January 2025
Description
IBM Planning Analytics 2.0 and 2.1 could be vulnerable to malicious file upload by not validating the type of file in the File Manager T1 process. Attackers can make use of this weakness and upload malicious executable files into the system that can be sent to victims for performing further attacks.
Security Summary
CVE-2024-25034 affects IBM Planning Analytics 2.0 and 2.1, specifically in the File Manager T1 process, where insufficient validation of uploaded file types enables malicious file uploads. This vulnerability, classified under CWE-434 (Unrestricted Upload of File with Dangerous Type), carries a CVSS v3.1 base score of 8.0 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H) and was published on 2025-01-24.
Attackers with low-privileged access (PR:L) can exploit this remotely over the network (AV:N) with low complexity (AC:L), though it requires user interaction (UI:R). Exploitation allows uploading malicious executable files to the system, which can then be sent to victims to enable further attacks, achieving high impacts on confidentiality, integrity, and availability.
IBM's security advisory provides details on the vulnerability and mitigation, available at https://www.ibm.com/support/pages/node/7168387.
Details
- CWE(s)