IBM Planning Analytics 2.0 and IBM Planning Analytics...
Critical severity
Unreviewed
Published
Feb 12, 2022
to the GitHub Advisory Database
•
Updated Feb 3, 2023
Description
Published by the National Vulnerability Database
Jan 12, 2022
Published to the GitHub Advisory Database
Feb 12, 2022
Last updated
Feb 3, 2023
IBM Planning Analytics 2.0 and IBM Planning Analytics Workspace 2.0 DQM API allows submitting of all control requests in unauthenticated sessions. This allows a remote threat actor who can access (without previous authentication) a valid PA endpoint to read and write files to the IBM Planning Analytics system. Depending on file system permissions up to path traversal and possibly remote code execution. IBM X-Force ID: 209511.
References