CVE-2022-22308: 
IBM Planning Analytics vulnerability analysis and mitigation

IBM Planning Analytics 2.0 was found to be vulnerable to a Remote File Include (RFI) attack, identified as CVE-2022-22308. The vulnerability was disclosed on February 21, 2022, and allows user input to be passed into file include commands, potentially enabling the web application to be tricked into including remote files containing malicious code (IBM Security).

The vulnerability has been assigned a CVSS v3.0 base score of 7.1 (HIGH) with the following vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L. This indicates that the vulnerability is network exploitable but requires high attack complexity and user interaction. The vulnerability affects the security objectives of confidentiality and integrity at a high level, while availability is impacted at a low level (NVD).

The successful exploitation of this vulnerability could allow attackers to include remote files containing malicious code into the web application. This could potentially lead to unauthorized access to sensitive information and system compromise, affecting both the confidentiality and integrity of the system (IBM Security).

IBM has released security updates to address this vulnerability. Users are strongly recommended to upgrade to IBM Planning Analytics Workspace 2.0.73 or later. The fix is available through IBM Fix Central. For IBM Planning Analytics with Watson, remediation was scheduled for the March 2022 maintenance window (IBM Security).