IBM Watson Discovery for IBM Cloud Pak for Data contains a vulnerable version of Ratpack, an open source software. These vulnerabilities are difficult to expolit since it is an internal component protected from direct access.
CVEID:CVE-2021-29479
**DESCRIPTION:**Ratpack could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability. An attacker could exploit this vulnerability using X-Forwarded-Host header to perform redirect cache poisoning to redirect a victim to arbitrary Web sites.
CVSS Base score: 7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/204670 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L)
CVEID:CVE-2021-29480
**DESCRIPTION:**Ratpack could provide weaker than expected security, caused by using a predictable method for default client side session signing key. A remote attacker could exploit this vulnerability to launch further attacks on the system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/204669 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID:CVE-2021-29481
**DESCRIPTION:**Ratpack could allow a remote attacker to obtain sensitive information, caused by improper encryption of default configuration of client side sessions. By capturing the session, an attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/204668 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
CVEID:CVE-2021-29485
**DESCRIPTION:**Ratpack could allow a remote attacker to execute arbitrary code on the system, caused by an insecure deserialization vulnerability. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/204667 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Product(s) | Version(s) |
---|---|
Watson Discovery | 4.0.0 |
Watson Discovery | 2.0.0-2.2.1 |
Upgrade to IBM Watson Discovery 4.0.2
Upgrade to IBM Watson Discovery 2.2.1 and apply cpd-watson-discovery-2.2.1-patch-4
<https://cloud.ibm.com/docs/discovery-data?topic=discovery-data-install>
<https://www.ibm.com/support/pages/available-patches-watson-discovery-ibm-cloud-pak-data>
None
CPE | Name | Operator | Version |
---|---|---|---|
watson discovery | eq | 4.0.0 | |
watson discovery | eq | 2.0.0 | |
watson discovery | eq | 2.2.1 |