CVE-2020-4871

Vulnerability

IBM Planning Analytics 2.0 allows web pages to be stored locally on the system. This vulnerability, identified as CVE-2020-4871, is present in IBM Planning Analytics Local v2.0. The flaw enables locally stored web pages to be accessed by another user on the same machine. According to the advisory [1], the issue was addressed in IBM Planning Analytics Local v2.0 - Planning Analytics Workspace Release 60.

Exploitation

An attacker must have local access to the system where IBM Planning Analytics Local 2.0 is installed. No authentication is required, as the vulnerability can be exploited by any user who can read the locally stored web page files. The attack complexity is low, and no user interaction is needed beyond the legitimate user performing actions that cause web pages to be stored locally.

Impact

Successful exploitation allows an attacker to read locally stored web pages, leading to the disclosure of potentially sensitive information. The CVSS v3.0 base score is 4.0 (AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), indicating a low confidentiality impact with no integrity or availability impact. The attacker gains the ability to access information that may be present in the cached web pages.

Mitigation

IBM has released a fix in IBM Planning Analytics Local v2.0 - Planning Analytics Workspace Release 60. Users should upgrade to this version or later to remediate the vulnerability. No workarounds are listed in the advisory [1]. There is no indication that this CVE is listed on the CISA KEV.