CVE-2024-40702

High

Published: 07 January 2025

Published

07 January 2025

Modified

03 July 2025

KEV Added

—

Patch

—

CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

EPSS Score 0.0009 25.9th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

IBM Cognos Controller 11.0.0 through 11.0.1 and IBM Controller 11.1.0 could allow an unauthorized user to obtain valid tokens to gain access to protected resources due to improper certificate validation.

Security Summary

CVE-2024-40702 affects IBM Cognos Controller versions 11.0.0 through 11.0.1 and IBM Controller 11.1.0 due to improper certificate validation (CWE-295). This vulnerability enables an unauthorized user to obtain valid tokens, granting access to protected resources. It has a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), indicating high severity with network accessibility, low attack complexity, and no prerequisite privileges or user interaction.

An attacker requires no authentication to exploit this flaw remotely. By leveraging the improper certificate validation, they can acquire legitimate tokens to access sensitive protected resources, resulting in high confidentiality impact through unauthorized data exposure and low integrity impact, potentially allowing limited data tampering, with no availability disruption.

IBM provides details and mitigation guidance in its security advisory at https://www.ibm.com/support/pages/node/7179163.

Details

CWE(s): CWE-295

Affected Products

ibm

cognos controller

11.0.0 — 11.0.1

ibm

controller

11.1.0

References

https://www.ibm.com/support/pages/node/7179163
Vendor Advisory · psirt@us.ibm.com