SB2024032729 - Multiple vulnerabilities in IBM Cognos Command Center 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2024032729

SB2024032729 - Multiple vulnerabilities in IBM Cognos Command Center

Published: March 27, 2024 Updated: June 20, 2025

Security Bulletin ID SB2024032729
Severity
Critical
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Critical 20% Medium 40% Low 40%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Deserialization of Untrusted Data (CVE-ID: CVE-2023-46604)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data in the OpenWire protocol. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


2) Information disclosure (CVE-ID: CVE-2023-50324)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to IBM Cognos Command Center exposes details of the X-AspNet-Version Response Header. A remote attacker can gain unauthorized access to sensitive information on the system.


3) Cross-site scripting (CVE-ID: CVE-2010-2084)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. The vulnerability allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to an attribute.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


4) Improper input validation (CVE-ID: CVE-2023-22081)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the JSSE component in Oracle GraalVM for JDK. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.


5) Segmentation fault (CVE-ID: CVE-2023-5676)

The vulnerability allows a local privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to JVM can be forced into an infinite busy hang on a spinlock or a segmentation fault if a shutdown signal (SIGTERM, SIGINT or SIGHUP) is received before the JVM has finished initializing. A local privileged user can pass specially crafted input to the application and perform a denial of service (DoS) attack.


Remediation

Install update from vendor's website.

References