CVE-2023-42017 - OpenCVE

IBM Planning Analytics Local 2.0 could allow a remote attacker to upload arbitrary files, caused by the improper validation of file extensions. By sending a specially crafted HTTP request, a remote attacker could exploit this vulnerability to upload a malicious script, which could allow the attacker to execute arbitrary code on the vulnerable system. IBM X-Force ID: 265567.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Ibm	Planning Analytics

Configuration 1 [-]

cpe:2.3:a:ibm:planning_analytics:2.0:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://exchange.xforce.ibmcloud.com/vulnerabilities/265567
https://www.ibm.com/support/pages/node/7096528

History

No history.

MITRE

Status: PUBLISHED

Assigner: ibm

Published: 2023-12-22T16:02:54.311Z

Updated: 2024-08-02T19:16:49.662Z

Reserved: 2023-09-06T19:33:10.323Z

Link: CVE-2023-42017

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-12-22T16:15:07.767

Modified: 2023-12-29T18:52:42.137

Link: CVE-2023-42017

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-42017", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "state": "PUBLISHED", "assignerShortName": "ibm", "dateReserved": "2023-09-06T19:33:10.323Z", "datePublished": "2023-12-22T16:02:54.311Z", "dateUpdated": "2024-08-02T19:16:49.662Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Planning Analytics", "vendor": "IBM", "versions": [{"status": "affected", "version": "2.0"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "IBM Planning Analytics Local 2.0 could allow a remote attacker to upload arbitrary files, caused by the improper validation of file extensions. By sending a specially crafted HTTP request, a remote attacker could exploit this vulnerability to upload a malicious script, which could allow the attacker to execute arbitrary code on the vulnerable system. IBM X-Force ID: 265567."}], "value": "IBM Planning Analytics Local 2.0 could allow a remote attacker to upload arbitrary files, caused by the improper validation of file extensions. By sending a specially crafted HTTP request, a remote attacker could exploit this vulnerability to upload a malicious script, which could allow the attacker to execute arbitrary code on the vulnerable system. IBM X-Force ID: 265567."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2023-12-22T16:02:54.311Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://www.ibm.com/support/pages/node/7096528"}, {"tags": ["vdb-entry"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/265567"}], "source": {"discovery": "UNKNOWN"}, "title": "IBM Planning Analytics file upload", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T19:16:49.662Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://www.ibm.com/support/pages/node/7096528"}, {"tags": ["vdb-entry", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/265567"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ibm:planning_analytics:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "965D63C3-4927-4C7A-9509-017A73A0E7A9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "IBM Planning Analytics Local 2.0 could allow a remote attacker to upload arbitrary files, caused by the improper validation of file extensions. By sending a specially crafted HTTP request, a remote attacker could exploit this vulnerability to upload a malicious script, which could allow the attacker to execute arbitrary code on the vulnerable system. IBM X-Force ID: 265567."}, {"lang": "es", "value": "IBM Planning Analytics Local 2.0 podr\u00eda permitir a un atacante remoto cargar archivos arbitrarios, provocados por la validaci\u00f3n inadecuada de las extensiones de archivo. Al enviar una solicitud HTTP especialmente manipulada, un atacante remoto podr\u00eda aprovechar esta vulnerabilidad para cargar un script malicioso, lo que podr\u00eda permitir al atacante ejecutar c\u00f3digo arbitrario en el sistema vulnerable. ID de IBM X-Force: 265567."}], "id": "CVE-2023-42017", "lastModified": "2023-12-29T18:52:42.137", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.9, "source": "psirt@us.ibm.com", "type": "Secondary"}]}, "published": "2023-12-22T16:15:07.767", "references": [{"source": "psirt@us.ibm.com", "tags": ["VDB Entry", "Vendor Advisory"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/265567"}, {"source": "psirt@us.ibm.com", "tags": ["Vendor Advisory"], "url": "https://www.ibm.com/support/pages/node/7096528"}], "sourceIdentifier": "psirt@us.ibm.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "psirt@us.ibm.com", "type": "Primary"}]}