CVE-2024-41739

High

Published: 24 January 2025

Published

24 January 2025

Modified

14 August 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0027 50.2th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-41739 is a high-severity Uncontrolled Search Path Element (CWE-427) vulnerability in Ibm Cognos Dashboards On Cloud Pak For Data. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 49.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SI-7 (Software, Firmware, and Information Integrity).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SR-11 Component Authenticity good match

prevent

Directly requires verification of component authenticity prior to installation, preventing dependency confusion by ensuring malicious packages mimicking legitimate dependencies are not used.

CM-14 Signed Components good match

prevent

Mandates digital signatures for software components like dependencies, enabling verification to block unsigned or malicious substitutes in dependency confusion attacks.

SI-7 Software, Firmware, and Information Integrity good match

preventdetect

Enforces integrity verification of software and firmware, detecting and preventing execution of tampered or confused dependencies introduced via supply chain compromise.

NVD Description

IBM Cognos Dashboards 4.0.7 and 5.0.0 on Cloud Pak for Data could allow a remote attacker to perform unauthorized actions due to dependency confusion.

Deeper analysisAI

CVE-2024-41739 is a vulnerability in IBM Cognos Dashboards versions 4.0.7 and 5.0.0 on Cloud Pak for Data, stemming from dependency confusion (CWE-427). This issue could allow a remote attacker to perform unauthorized actions. It has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility, low attack complexity, no required privileges, user interaction, and high impacts across confidentiality, integrity, and availability.

A remote attacker without privileges can exploit this over the network with low complexity, though it requires user interaction such as clicking a malicious link or opening a file. Successful exploitation enables the attacker to perform unauthorized actions, potentially compromising the affected Cognos Dashboards instance.

IBM has published a security advisory with details on the vulnerability and recommended mitigations at https://www.ibm.com/support/pages/node/7177766. Security practitioners should consult this page for patching instructions and workarounds specific to Cloud Pak for Data environments.

Details

CWE(s): CWE-427

Affected Products

ibm

cognos dashboards on cloud pak for data

4.8.0, 5.0.0

CVEs Like This One

CVE-2024-55898Same vendor: Ibm

CVE-2024-56340Same vendor: Ibm

CVE-2024-43187Same vendor: Ibm

CVE-2025-0162Same vendor: Ibm

CVE-2024-28766Same vendor: Ibm

CVE-2025-14480Same vendor: Ibm

CVE-2024-25034Same vendor: Ibm

CVE-2024-39750Same vendor: Ibm

CVE-2024-49352Same vendor: Ibm

CVE-2025-3320Same vendor: Ibm

References

https://www.ibm.com/support/pages/node/7177766
Vendor Advisory · psirt@us.ibm.com