Lucene search

IBM46C36C42749FDBAB10998EED31F767314FD8F4A55A4766B15EFDB2BA7580B0D4

HistoryMay 11, 2023 - 1:51 p.m.

Security Bulletin: Vega Vulnerabilities affect IBM Decision Optimization in IBM Cloud Pak for Data (CVE-2023-26486, CVE-2023-26487)

2023-05-1113:51:41

www.ibm.com

vega

ibm decision optimization

cloud pak for data

cve-2023-26486

cve-2023-26487

cross-site scripting

vulnerability

upgrade.

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

0.002 Low

EPSS

Percentile

54.4%

JSON

Summary

There are multiple vulnerabilities in Vega 5.22.1 used by IBM Decision Optimization for IBM Cloud Pak for Data. IBM Decision Optimization for IBM Cloud Pak for Data has addressed the applicable CVEs.

Vulnerability Details

CVEID:CVE-2023-26486
**DESCRIPTION:**Vega is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the Vega definition. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/249169 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVEID:CVE-2023-26487
**DESCRIPTION:**Vega is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the Vega snippet. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/249171 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
Decision Optimization for Cloud Pak for Data	All

Remediation/Fixes

IBM strongly suggests to upgrade to Decision Optimization in IBM Cloud Pak for Data 4.6.5, using the Operator upgrade process described in the IBM Documentation:

<https://www.ibm.com/docs/en/cloud-paks/cp-data/4.6.x?topic=u-upgrading-from-version-46-8>

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmcloud_pak_for_dataMatchany

CPENameOperatorVersion
decision optimization for cloud pak for dataeqany

CPE	Name	Operator	Version
	decision optimization for cloud pak for data	eq	any

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

0.002 Low

EPSS

Percentile

54.4%

JSON

Related for 46C36C42749FDBAB10998EED31F767314FD8F4A55A4766B15EFDB2BA7580B0D4