Cyber Resilience

CVE-2024-41739

High

Published: 24 January 2025

Published
24 January 2025
Modified
14 August 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0011 29.7th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-41739 is a high-severity Uncontrolled Search Path Element (CWE-427) vulnerability in Ibm Cognos Dashboards On Cloud Pak For Data. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Dependencies and Development Tools (T1195.001); ranked at the 29.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SI-7 (Software, Firmware, and Information Integrity).

Deeper analysis

CVE-2024-41739 is a vulnerability in IBM Cognos Dashboards versions 4.0.7 and 5.0.0 on Cloud Pak for Data, stemming from dependency confusion (CWE-427). This issue could allow a remote attacker to perform unauthorized actions. It has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility, low attack complexity, no required privileges, user interaction, and high impacts across confidentiality, integrity, and availability.

A remote attacker without privileges can exploit this over the network with low complexity, though it requires user interaction such as clicking a malicious link or opening a file. Successful exploitation enables the attacker to perform unauthorized actions, potentially compromising the affected Cognos Dashboards instance.

IBM has published a security advisory with details on the vulnerability and recommended mitigations at https://www.ibm.com/support/pages/node/7177766. Security practitioners should consult this page for patching instructions and workarounds specific to Cloud Pak for Data environments.

EU & UK References

Vulnerability details

IBM Cognos Dashboards 4.0.7 and 5.0.0 on Cloud Pak for Data could allow a remote attacker to perform unauthorized actions due to dependency confusion.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1195.001 Compromise Software Dependencies and Development Tools Initial Access
Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise.
Why these techniques?

Explicit dependency confusion (CWE-427) vulnerability directly enables attackers to supply malicious packages/dependencies that the application loads, mapping to compromise of software dependencies.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-55898Same vendor: Ibm
CVE-2025-3356Same vendor: Ibm
CVE-2025-0162Same vendor: Ibm
CVE-2025-12531Same vendor: Ibm
CVE-2025-36251Same vendor: Ibm
CVE-2026-4788Same vendor: Ibm
CVE-2025-36070Same vendor: Ibm
CVE-2025-14923Same vendor: Ibm
CVE-2026-8633Same vendor: Ibm
CVE-2025-36368Same vendor: Ibm

Affected Assets

ibm
cognos dashboards on cloud pak for data
4.8.0, 5.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires verification of component authenticity prior to installation, preventing dependency confusion by ensuring malicious packages mimicking legitimate dependencies are not used.

prevent

Mandates digital signatures for software components like dependencies, enabling verification to block unsigned or malicious substitutes in dependency confusion attacks.

preventdetect

Enforces integrity verification of software and firmware, detecting and preventing execution of tampered or confused dependencies introduced via supply chain compromise.

References