CVE-2024-40702

High

Published: 07 January 2025

Published

07 January 2025

Modified

03 July 2025

KEV Added

—

Patch

—

CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

EPSS Score 0.0009 25.9th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-40702 is a high-severity Improper Certificate Validation (CWE-295) vulnerability in Ibm Cognos Controller. Its CVSS base score is 8.2 (High).

Operationally, ranked at the 25.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-17 (Public Key Infrastructure Certificates).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-17 Public Key Infrastructure Certificates good match

prevent

SC-17 requires implementation of cryptographic mechanisms to validate PKI certificates, directly preventing exploitation of the improper certificate validation in CVE-2024-40702 that allows unauthorized token acquisition.

IA-5 Authenticator Management good match

prevent

IA-5 mandates secure management of authenticators including PKI certificates, ensuring proper validation and protection against unauthorized use leading to token compromise.

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely identification, reporting, and remediation of system flaws such as the certificate validation vulnerability in CVE-2024-40702, preventing unauthorized access via patching.

NVD Description

IBM Cognos Controller 11.0.0 through 11.0.1 and IBM Controller 11.1.0 could allow an unauthorized user to obtain valid tokens to gain access to protected resources due to improper certificate validation.

Deeper analysisAI

CVE-2024-40702 affects IBM Cognos Controller versions 11.0.0 through 11.0.1 and IBM Controller 11.1.0 due to improper certificate validation (CWE-295). This vulnerability enables an unauthorized user to obtain valid tokens, granting access to protected resources. It has a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), indicating high severity with network accessibility, low attack complexity, and no prerequisite privileges or user interaction.

An attacker requires no authentication to exploit this flaw remotely. By leveraging the improper certificate validation, they can acquire legitimate tokens to access sensitive protected resources, resulting in high confidentiality impact through unauthorized data exposure and low integrity impact, potentially allowing limited data tampering, with no availability disruption.

IBM provides details and mitigation guidance in its security advisory at https://www.ibm.com/support/pages/node/7179163.

Details

CWE(s): CWE-295

Affected Products

ibm

cognos controller

11.0.0 — 11.0.1

ibm

controller

11.1.0

CVEs Like This One

CVE-2024-45084Same product: Ibm Cognos Controller

CVE-2024-28777Same product: Ibm Cognos Controller

CVE-2024-52902Same product: Ibm Cognos Controller

CVE-2023-47160Same product: Ibm Cognos Controller

CVE-2024-49782Same product: Microsoft Windows

CVE-2026-21228Same vendor: Microsoft

CVE-2026-35560Same product: Microsoft Windows

CVE-2026-30794Same product: Microsoft Windows

CVE-2024-49779Same product: Microsoft Windows

CVE-2024-49781Same product: Microsoft Windows

References

https://www.ibm.com/support/pages/node/7179163
Vendor Advisory · psirt@us.ibm.com