CVE-2024-45084
Published: 19 February 2025
Summary
CVE-2024-45084 is a high-severity Improper Neutralization of Formula Elements in a CSV File (CWE-1236) vulnerability in Ibm Cognos Controller. Its CVSS base score is 8.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 49.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-45084 is a formula injection vulnerability in IBM Cognos Controller versions 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0. The flaw stems from improper validation of file contents, enabling an authenticated attacker to inject malicious formulas that lead to arbitrary command execution on the affected system. It has a CVSS v3.1 base score of 8.0 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H) and is associated with CWE-1236.
An authenticated attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L), though it requires user interaction (UI:R). Successful exploitation allows the attacker to achieve high impacts on confidentiality, integrity, and availability (C:I:A:H), including executing arbitrary commands on the underlying system.
IBM's security advisory at https://www.ibm.com/support/pages/node/7183597 provides details on mitigation, including available patches for the affected versions. Security practitioners should apply these updates promptly and review access controls for file upload functionalities in these products.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4672
Vulnerability details
IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 could allow an authenticated attacker to conduct formula injection. An attacker could execute arbitrary commands on the system, caused by improper validation of file contents.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Formula injection in a public-facing web app (Cognos Controller) allows an authenticated attacker to craft malicious files that execute arbitrary commands upon opening/processing, directly enabling T1190 (exploit of the exposed application) and T1204.002 (user execution of malicious file).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the improper validation of file contents that enables authenticated attackers to inject malicious formulas leading to arbitrary command execution.
Mitigates the vulnerability by requiring timely remediation of flaws, including application of vendor patches as specified in IBM's security advisory.
Enforces restrictions on file types and structures processed by the system, limiting opportunities for formula injection via unauthorized input formats.