IBM Cognos Analytics EL Injection Vulnerability
CVE-2024-51466 Published on December 20, 2024
IBM Cognos Analytics expression language injection
IBM Cognos Analytics 11.2.0 through 11.2.4 FP4 and
12.0.0 through 12.0.4
is vulnerable to an Expression Language (EL) Injection vulnerability. A remote attacker could exploit this vulnerability to expose sensitive information, consume memory resources, and/or cause the server to crash when using a specially crafted EL statement.
Vulnerability Analysis
CVE-2024-51466 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
Weakness Type
What is an EL Injection Vulnerability?
The software constructs all or part of an expression language (EL) statement in a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.
CVE-2024-51466 has been classified to as an EL Injection vulnerability or weakness.
Products Associated with CVE-2024-51466
Want to know whenever a new CVE is published for IBM Cognos Analytics? stack.watch will email you.
Affected Versions
IBM Cognos Analytics:- Version 11.2.0, <= 11.2.4 is affected.
- Version 12.0.0, <= 12.0.4 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.