CVE-2020-4561

Name of the Vulnerable Software and Affected Versions IBM Cognos Analytics versions 11.0 through 11.1

Description The issue is related to the inclusion of features from an untrusted controlled area in the IBM Cognos Analytics online service. This could allow a remote attacker to impact the confidentiality, integrity, and availability of protected information. A remote attacker who can access a valid endpoint can read and write files to the Cognos Analytics system, as the DQM API allows the submission of all control requests in unauthenticated sessions.

Recommendations For IBM Cognos Analytics versions 11.0 through 11.1, consider restricting access to the DQM API to prevent unauthenticated sessions from submitting control requests. As a temporary workaround, limit the ability to read and write files to the Cognos Analytics system until a fix is available.