CVE-2021-29851

Vulnerability

IBM Planning Analytics 2.0 (including Planning Analytics Workspace) returns detailed stack trace information in the browser when an error occurs. This information leakage affects versions prior to Planning Analytics Local v2.0 – Planning Analytics Workspace Release 67. The vulnerability exists because the application does not properly sanitize or suppress error output, causing stack traces to be transmitted to the client [1].

Exploitation

An unauthenticated attacker with network access can trigger an error condition in the application (for example by sending a malformed request) and capture the resulting stack trace. No special privileges or user interaction beyond normal browsing is required [1]. The stack trace is returned directly in the HTTP response.

Impact

Successful exploitation allows a remote attacker to obtain sensitive information about the application's internal structure, file paths, and potentially other technical details disclosed in the stack trace. This information can be used to craft more targeted attacks. The CVSS v3.0 base score for this information disclosure is 4.3 (medium severity) [1].

Mitigation

IBM has addressed this vulnerability in IBM Planning Analytics Local v2.0 – Planning Analytics Workspace Release 67, which should be applied to affected systems. For details on obtaining the fix, refer to the IBM security bulletin [1]. No workaround is described in the available references.