Security Bulletin: Security Vulnerabilities affect IBM Cloud Pak for Data - Golang (CVE-2020-24553)

Summary

Security Vulnerabilities affect IBM Cloud Pak for Data - Golang (CVE-2020-24553)

Vulnerability Details

CVEID:CVE-2020-24553
**DESCRIPTION:**Golang Go is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the CGI/FCGI handlers. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 7.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/187776 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N)

Affected Products and Versions

Remediation/Fixes

• Patch:
  <https://www.ibm.com/support/pages/node/6327429&gt;

• Users of IBM Cloud Pak for Data V2.5 are advised to:
  Apply IBM Cloud Pak for Data V2.5 cpd-2.5.0.0-lite-patch-6

• Users of IBM Cloud Pak for Data V3.0.0 and V3.0.1 are advised to:
  Apply IBM Cloud Pak for Data V3.0.1 cpd-3.0.1-lite-patch-5

Workarounds and Mitigations

None