Potential Salesforce tough-cookie arbitrary code execution vulnerabilitiy have been identified that may affect IBM Watson Assistant for IBM Cloud Pak for Data. The vulnerability have been addressed. Refer to details for additional information. [CVE-2023-26136]
CVEID:CVE-2023-26136
**DESCRIPTION:**Salesforce tough-cookie could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. By adding or modifying properties of Object.prototype using a proto or constructor payload, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/259555 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
Affected Product(s) | Affected Version(s) |
---|---|
IBM Watson Assistant for IBM Cloud Pak for Data | All versions before v4.7.4 |
For all affected versions, IBM strongly recommends addressing the vulnerability now by upgrading to the latest (v4.7.4 or later releases) release of IBM Watson Assistant for IBM Cloud Pak for Data which maintains backward compatibility with the versions listed above.
Product Latest Version | Remediation/Fix/Instructions |
---|---|
IBM Watson Assistant for IBM Cloud Pak for Data 4.7.4 |
Follow instructions for Installing Watson Assistant in Link to Release (v4.7.4 release information)
<https://www.ibm.com/docs/en/cloud-paks/cp-data/4.7.x>
None
CPE | Name | Operator | Version |
---|---|---|---|
ibm watson assistant for ibm cloud pak for data | eq | any |