CVE-2022-22308

Vulnerability

IBM Planning Analytics Workspace 2.0 is vulnerable to a Remote File Include (RFI) attack. The application accepts user input that is passed into file include commands without proper sanitization, allowing an attacker to trick the web application into including remote files containing malicious code. Affected versions are prior to 2.0.73. [1]

Exploitation

An attacker does not require authentication and can exploit the vulnerability remotely over the network. By crafting a malicious request containing a specially crafted input (e.g., a URL pointing to an attacker-controlled server with a malicious file), the attacker can cause the application to include and execute that remote file. No user interaction is required. [1]

Impact

Successful exploitation allows the attacker to execute arbitrary code on the server hosting IBM Planning Analytics Workspace. This can lead to full compromise of the application and underlying system, including unauthorized access to sensitive data, modification of files, and potential lateral movement within the network. The CIA impact is high. [1]

Mitigation

The vulnerability is fixed in IBM Planning Analytics Workspace version 2.0.73, released as part of a security bulletin. Users must upgrade to version 2.0.73 or later to mitigate the RFI risk. No workaround is documented; upgrading is the recommended action. [1]