Lucene search

K
ibmIBM51D76932A5074CEFE166544E71EEFE076AC2B628BC8BB22ADB147946546F595D
HistoryJan 12, 2023 - 9:59 p.m.

Security Bulletin: A Vulnerability In Apache Commons IO Affects IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data

2023-01-1221:59:00
www.ibm.com
24
apache commons io
ibm watson speech services cartridge
ibm cloud pak for data
remote attacker
directory traversal
input validation
cve-2021-29425
cvss base score 7.5
arbitrary files access

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS3

4.8

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

AI Score

6.3

Confidence

High

EPSS

0.002

Percentile

57.2%

Summary

A Vulnerability In Apache Commons IO Affects IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data. Please see below for details and remediation/Fixes for this issue.

Vulnerability Details

**CVEID:**CVE-2021-29425 DESCRIPTION: Apache Commons IO could allow a remote attacker to traverse directories on the system, caused by improper input validation by the FileNameUtils.normalize method. An attacker could send a specially-crafted URL request containing โ€œdot dotโ€ sequences (/โ€ฆ/) to view arbitrary files on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/199852 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data 4.0.0 - 4.0.5

Remediation/Fixes

Please install the newest version of IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data:
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data v4.0.6

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmwatson_assistant_for_ibm_cloud_pak_for_dataRange4.0.0โ‰ฅ
OR
ibmwatson_assistant_for_ibm_cloud_pak_for_dataRangeโ‰ค4.0.5
VendorProductVersionCPE
ibmwatson_assistant_for_ibm_cloud_pak_for_data*cpe:2.3:a:ibm:watson_assistant_for_ibm_cloud_pak_for_data:*:*:*:*:*:*:*:*

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS3

4.8

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

AI Score

6.3

Confidence

High

EPSS

0.002

Percentile

57.2%