CVE-2024-56340
Published: 28 February 2025
Summary
CVE-2024-56340 is a medium-severity Relative Path Traversal (CWE-23) vulnerability in Ibm Cognos Analytics. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 6.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
IBM Cognos Analytics versions 11.2.0 through 11.2.4 FP5 contain a local file inclusion vulnerability that stems from improper handling of the deficon parameter. An attacker can supply path traversal sequences to read arbitrary files on the server, corresponding to CWE-23 relative path traversal and carrying a CVSS 3.1 score of 6.5.
The flaw is exploitable by any authenticated user with network access. Because the attack requires only low privileges and no user interaction, an adversary can retrieve sensitive configuration files, credentials, or other restricted content without triggering high-severity integrity or availability impact.
IBM has published remediation guidance at the referenced support page, and a public proof-of-concept is available in the linked GitHub repository. The associated EPSS score has remained flat at 0.1222 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-53951
Vulnerability details
IBM Cognos Analytics 11.2.0 through 11.2.4 FP5 is vulnerable to local file inclusion vulnerability, allowing an attacker to access sensitive files by inserting path traversal payloads inside the deficon parameter.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote LFI/path traversal in public-facing web app directly enables T1190 exploitation and facilitates T1005 local file data access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces input validation on the deficon parameter to reject path traversal payloads, preventing local file inclusion attacks.
Requires timely patching of the specific flaw in IBM Cognos Analytics as detailed in the IBM security advisory, eliminating the vulnerability.
Enforces access control policies to restrict low-privileged users from reading sensitive files even if path traversal partially succeeds.