IBM5A189A97C3F8278F1D9B233E5E0B26C63B1ED56B9F2CAB94783F2763906462D1Security Bulletin: A security vulnerability has been identified in nanopb shipped with IBM Watson Machine Learning Community Edition (WMLCE)
0.003 Low
EPSS
Percentile
65.8%
Summary
The vulnerability CVE-2020-5235 was found in the nanopb package, which is either built in to or distributed with IBM WMLCE.
Vulnerability Details
CVEID:CVE-2020-5235
**DESCRIPTION:**Nanopb is vulnerable to a denial of service, caused by a out of memory condition. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/175958 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM WML Community Edition | 1.6.2 |
| IBM WML Community Edition | 1.7.0 |
Remediation/Fixes
All IBM WMLCE distribution channels have been updated. For those using containers, pulling the image again from its upstream container registry (<https://hub.docker.com/r/ibmcom/powerai>, <https://catalog.redhat.com>) will download an updated image with CVEs resolved. All others should update directly from our conda channel via conda update.
For information regarding WMLCE see <https://www.ibm.com/support/knowledgecenter/SS5SF7> .
Workarounds and Mitigations
None
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm powerai | eq | 1.6.2 | |
| ibm powerai | eq | 1.7.0 |
Related
0.003 Low
EPSS
Percentile
65.8%