CVE-2024-52902

CVE-2024-52902 is a high-severity vulnerability (CVSS 3.1 score of 8.8) affecting IBM Cognos Controller versions 11.0.0 through 11.0.1 FP3 and the IBM Controller 11.1.0 client application. The issue stems from hard-coded database passwords embedded in the source code (CWE-798: Use of Hard-coded Credentials), which exposes credentials that could enable unauthorized system access. Published on 2025-02-19, this flaw allows attackers to bypass authentication mechanisms by extracting and reusing the static passwords.

An attacker with low privileges (PR:L), such as an authenticated user with network access (AV:N), can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation grants unauthorized access to the database and underlying system, resulting in high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) within the unchanged scope (S:U). This could lead to data exfiltration, modification, or disruption of IBM Controller services.

IBM has issued a security advisory with details on mitigation and patching at https://www.ibm.com/support/pages/node/7183597. Security practitioners should review this bulletin for version-specific fixes and apply updates promptly to affected deployments.