IBM Planning Analytics/Planning Analytics Workspace up to 2.0 DQM API access control

A vulnerability was found in IBM Planning Analytics and Planning Analytics Workspace up to 2.0 and classified as critical. Affected by this issue is an unknown code block of the component DQM API. Upgrading eliminates this vulnerability.

Field01/12/2022 08:37 PM01/15/2022 10:11 AM
vendorIBMIBM
namePlanning Analytics/Planning Analytics WorkspacePlanning Analytics/Planning Analytics Workspace
version<=2.0<=2.0
componentDQM APIDQM API
cwe284 (privilege escalation)284 (privilege escalation)
risk22
cvss3_vuldb_avNN
cvss3_vuldb_acLL
cvss3_vuldb_prNN
cvss3_vuldb_uiNN
cvss3_vuldb_sUU
cvss3_vuldb_cLL
cvss3_vuldb_iLL
cvss3_vuldb_aLL
cvss3_vuldb_rlOO
cvss3_vuldb_rcCC
cvss3_cna_avNN
cvss3_cna_acLL
cvss3_cna_prNN
cvss3_cna_uiNN
cvss3_cna_sCC
cvss3_cna_cHH
cvss3_cna_iHH
cvss3_cna_aHH
urlhttps://www.ibm.com/support/pages/node/6524704https://www.ibm.com/support/pages/node/6524704
nameUpgradeUpgrade
cveCVE-2021-38892CVE-2021-38892
cve_assigned16290648001629064800
cve_cnaIBM CorporationIBM Corporation
xforce209511209511
date1641942000 (01/12/2022)1641942000 (01/12/2022)
cvss2_vuldb_avNN
cvss2_vuldb_acLL
cvss2_vuldb_auNN
cvss2_vuldb_ciPP
cvss2_vuldb_iiPP
cvss2_vuldb_aiPP
cvss2_vuldb_rcCC
cvss2_vuldb_rlOFOF
cvss2_vuldb_eNDND
cvss3_vuldb_eXX
cvss3_cna_basescore10.010.0
cvss2_vuldb_basescore7.57.5
cvss2_vuldb_tempscore6.56.5
cvss3_vuldb_basescore7.37.3
cvss3_vuldb_tempscore7.07.0
cvss3_meta_basescore8.68.6
cvss3_meta_tempscore8.58.5
price_0day$5k-$25k$5k-$25k
price_trend++
confirm_urlhttps://www.ibm.com/support/pages/node/6524704
cve_nvd_summaryIBM Planning Analytics 2.0 and IBM Planning Analytics Workspace 2.0 DQM API allows submitting of all control requests in unauthenticated sessions. This allows a remote threat actor who can access (without previous authentication) a valid PA endpoint to read and write files to the IBM Planning Analytics system. Depending on file system permissions up to path traversal and possibly remote code execution. IBM X-Force ID: 209511.

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!