CVE-2020-4882

Vulnerability

IBM Planning Analytics 2.0 is vulnerable to Server-Side Request Forgery (SSRF) due to insufficient validation of user-supplied URLs. This allows an attacker to construct arbitrary requests that are executed by the server, potentially targeting internal network resources or the local file system. The vulnerability affects IBM Planning Analytics 2.0 as described in the security advisory [1].

Exploitation

An attacker with network access to the Planning Analytics Workspace component can craft malicious URLs that, when processed by the application, cause the server to make requests to unintended destinations. Successful exploitation requires user interaction (e.g., clicking a link) but no authentication per the CVSS vector. The attacker does not need elevated privileges.

Impact

Successful exploitation leads to low confidentiality and low integrity impacts on the system. The attacker can probe internal network services or read local files (SSRF), but the direct impact is limited as per the CVSS score of 6.1. The vulnerability cannot be used for denial of service or direct code execution.

Mitigation

IBM has released a fix in IBM Planning Analytics Local v2.0 - Planning Analytics Workspace Release 62. Users should upgrade to this version. No workarounds are available as per the advisory [1]. The vulnerability is not listed in the KEV catalog.