1. What is this vulnerability and why does it matter?

This vulnerability, identified as CVE-2024-35143, affects IBM Planning Analytics Local versions 2.0 and 2.1. It arises because the MongoDB server used by these products is configured to allow connections without password authentication and is listening on a remote port. This misconfiguration allows a remote attacker to gain unauthorized access to the database. This vulnerability is critical because unauthorized access to a database can lead to data breaches, data manipulation, denial of service, and potentially further compromise of connected systems and sensitive information.

2. What are the CVSS score, severity level, and disclosure details?

The Common Vulnerability Scoring System (CVSS) score for this vulnerability is 9.1, which classifies its severity level as Critical. The vulnerability was published on August 4, 2024, at 13:03:10 UTC, and last modified on August 5, 2024, at 13:57:36 UTC.

3. Which products, vendors, systems, and versions are affected?

4. What is the technical root cause and attack vector?

The technical root cause of this vulnerability is a misconfiguration of the MongoDB server that IBM Planning Analytics Local uses, specifically its failure to enforce password authentication. This aligns with CWE-306 (Missing Authentication for Critical Function). The attack vector is remote; an attacker can connect to the MongoDB server over the network because it is listening on a remote port and does not require authentication.

5. How can this vulnerability be exploited?

This vulnerability can be exploited by a remote attacker who identifies the MongoDB server associated with IBM Planning Analytics Local 2.0 or 2.1. Since the server is configured to allow connections without password authentication, the attacker can simply connect to the remote port where MongoDB is listening and gain full, unauthorized access to the database contents and functionalities.

7. How can vulnerable systems be detected?

Vulnerable systems can be detected by:

• Checking the configuration of MongoDB instances used by IBM Planning Analytics Local versions 2.0 and 2.1 to verify if they are configured to allow unauthenticated connections.
• Scanning for MongoDB instances listening on remote ports without requiring authentication.

10. What public intelligence references and advisories exist?

11. What is the risk assessment and urgency level?

Given the CVSS score of 9.1 (Critical), this vulnerability poses a high risk. The urgency level is immediate, as it allows unauthorized remote access to a critical database without any authentication, potentially leading to severe data breaches, integrity compromises, and operational disruptions. Organizations using affected versions of IBM Planning Analytics Local should prioritize securing their MongoDB instances.