Lucene search

IBM4A35A50D010B479C105A966A95DC2CEB14D5EC7895C021976F4627B02F40D7C5

HistoryJun 25, 2021 - 12:36 a.m.

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Node.js

2021-06-2500:36:19

www.ibm.com

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.002 Low

EPSS

Percentile

56.2%

JSON

Summary

IBM Watson Discovery for IBM Cloud Pak for Data contains a vulnerable version of Node.js.

Vulnerability Details

CVEID:CVE-2021-23362
**DESCRIPTION:**Node.js hosted-git-info module is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the fromUrl function in index.js. By sending a specially-crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/198792 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
ICP - Discovery	2.0.0-2.2.1

Remediation/Fixes

Upgrade to IBM Watson Discovery 2.2.1 and apply cpd-watson-discovery-2.2.1-patch-3

<https://cloud.ibm.com/docs/discovery-data?topic=discovery-data-install>

<https://www.ibm.com/support/pages/available-patches-watson-discovery-ibm-cloud-pak-data>

Workarounds and Mitigations

None

CPENameOperatorVersion
watson discoveryeq2.0.0
watson discoveryeq2.2.1

CPE	Name	Operator	Version
	watson discovery	eq	2.0.0
	watson discovery	eq	2.2.1

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.002 Low

EPSS

Percentile

56.2%

JSON

Related for 4A35A50D010B479C105A966A95DC2CEB14D5EC7895C021976F4627B02F40D7C5