IBM Cognos Analytics 11.2.0 through 11.2.4 FP4 and
12.0.0 through 12.0.4
is vulnerable to an Expression Language (EL) Injection vulnerability. A remote attacker could exploit this vulnerability to expose sensitive information, consume memory resources, and/or cause the server to crash when using a specially crafted EL statement.
The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Cognos_analytics | Ibm | 11.2.0 (including) | 11.2.4 (excluding) |
| Cognos_analytics | Ibm | 12.0.0 (including) | 12.0.4 (excluding) |
| Cognos_analytics | Ibm | 11.2.4 (including) | 11.2.4 (including) |
| Cognos_analytics | Ibm | 11.2.4-fixpack1 (including) | 11.2.4-fixpack1 (including) |
| Cognos_analytics | Ibm | 11.2.4-fixpack2 (including) | 11.2.4-fixpack2 (including) |
| Cognos_analytics | Ibm | 11.2.4-fixpack3 (including) | 11.2.4-fixpack3 (including) |
| Cognos_analytics | Ibm | 11.2.4-fixpack4 (including) | 11.2.4-fixpack4 (including) |
| Cognos_analytics | Ibm | 12.0.4 (including) | 12.0.4 (including) |