CVE-2024-45084 in Cognos Controller
Summary
by MITRE • 02/19/2025
IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0
could allow an authenticated attacker to conduct formula injection. An attacker could execute arbitrary commands on the system, caused by improper validation of file contents.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/26/2025
IBM Cognos Controller versions 11.0.0 through 11.0.1 FP3 and 11.1.0 contain a critical vulnerability that enables authenticated attackers to perform formula injection attacks leading to arbitrary command execution. This vulnerability stems from inadequate validation of file contents during the processing of user-supplied data within the application's formula handling mechanisms. The flaw exists in the input sanitization and validation procedures that fail to properly sanitize or validate formula expressions before processing them within the system's computational engine. Attackers with valid authentication credentials can exploit this weakness by crafting malicious formula expressions that bypass the validation checks and execute unintended system commands with the privileges of the application process. This vulnerability directly maps to CWE-94, which describes improper validation of formula expressions and the execution of arbitrary code through injection techniques. The attack vector requires an authenticated user context, making it less accessible than unauthenticated exploits but still highly concerning given the potential for privilege escalation and system compromise. The impact of this vulnerability extends beyond simple command execution as it can lead to full system compromise, data exfiltration, and lateral movement within the network. According to ATT&CK framework, this vulnerability aligns with T1059.001 for command and scripting interpreter and T1068 for local privilege escalation, as attackers can leverage the arbitrary command execution to gain elevated system privileges. The vulnerability represents a significant risk to organizations using IBM Cognos Controller for financial planning and reporting, as these systems often contain sensitive business data and financial information. The exploitation process typically involves crafting malicious formula files that contain shell commands or system calls, which are then processed by the vulnerable application without proper sanitization. Organizations should implement immediate mitigations including applying the latest security patches from IBM, restricting file upload capabilities, and implementing network segmentation to limit the potential impact of successful exploitation. The vulnerability demonstrates the critical importance of proper input validation and sanitization in enterprise applications, particularly those handling complex formula processing and data manipulation functions. Security monitoring should be enhanced to detect unusual formula processing activities and command execution patterns that may indicate exploitation attempts.