CVE-2024-28777
Published: 19 February 2025
Description
IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 is vulnerable to unrestricted deserialization. This vulnerability allows users to execute arbitrary code, escalate privileges, or cause denial of service attacks by exploiting the unrestricted deserialization of types in the application.
Security Summary
IBM Cognos Controller versions 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 are affected by CVE-2024-28777, an unrestricted deserialization vulnerability (CWE-502). This flaw occurs due to the application's handling of deserialized types without proper restrictions, earning a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Published on February 19, 2025, the vulnerability exposes the software to potential exploitation through crafted inputs.
Attackers with low-privilege authenticated access over the network can exploit this vulnerability without user interaction. Successful exploitation enables arbitrary code execution, privilege escalation, or denial-of-service conditions, potentially compromising confidentiality, integrity, and availability of the affected system.
The IBM security advisory at https://www.ibm.com/support/pages/node/7183597 details mitigation steps, including applying available patches for the impacted versions.
Details
- CWE(s)