IBM Cognos Analytics Vulnerable to PgJDBC SQLi and Info Disclosure (CVE-2022-31197)

Key Information Summary Vulnerability Overview IBM Cognos Analytics Certified Containers is affected by security vulnerabilities in the PostgreSQL JDBC driver. Additionally, it is impacted by an information disclosure vulnerability. Vulnerability Details 1. CVE-2022-31197 - Description: The method in the PostgreSQL JDBC driver (PgJDBC) does not escape column names, potentially leading to SQL injection. - CWE: CWE-89 (SQL Injection) - CVSS Base Score: 6.5 2. CVE-2022-41946 - Description: Under certain conditions, temporary files created by PgJDBC on Unix systems may be readable by other users, resulting in information disclosure. - CWE: CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) - CVSS Base Score: 6.3 3. CVE-2024-1597 - Description: PgJDBC in mode may allow attackers to inject SQL by crafting specific strings. - CWE: CWE-89 (SQL Injection) - CVSS Base Score: 10 4. CVE-2025-49146 - Description: Specific versions of PgJDBC, when configured to use channel binding, may allow man-in-the-middle attackers to intercept connections. - CWE: CWE-287 (Improper Authentication) - CVSS Base Score: 5.9 5. CVE-2025-33150 - Description: Cognos Analytics Certified Containers may leak package parameters through hidden pages. - CWE: CWE-552 (File or Directory Accessible to External Parties) - CVSS Base Score: 5.3 6. CVE-IBM 220313 - Description: Attackers may exploit information leakage in PgJDBC connection configuration by specifying arbitrary connection properties, potentially gaining unauthorized system access. - CWE: CWE-287 (Improper Authentication) - CVSS Base Score: 9.8 Affected Products and Versions Affected Product: IBM Cognos Analytics Certified Containers Version: 12.1.0 Remediation Fixed Version: 12.1.1 Link: Installing and deploying Cognos Analytics Certified Containers Workarounds and Mitigations No available measures

Goal Reached Thanks to every supporter — we hit 100%!

IBM Cognos Analytics Vulnerable to PgJDBC SQLi and Info Disclosure (CVE-2022-31197)