Lucene search

K
ibmIBM7899599E5B0AB1CAE8E2085EEF74BC639F338DB35A440C095D84914F8889997B
HistoryJun 28, 2023 - 8:45 p.m.

Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a security restrictions bypass in Pallets Werkzeug ( CVE-2023-23934)

2023-06-2820:45:44
www.ibm.com
7
ibm watson
cloud pak
security bypass
pallets werkzeug
upgrade
cve-2023-23934

3.5 Low

CVSS3

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

0.001 Low

EPSS

Percentile

21.7%

Summary

IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a security restrictions bypass in Pallets Werkzeug, caused by improper input validation. ( CVE-2023-23934). Pallets Werkzeug is included as part of the runtimes in our service. This vulnerabilitiy has been addressed. Please read the details for remediation below.

Vulnerability Details

CVEID:CVE-2023-23934
**DESCRIPTION:**Pallets Werkzeug could allow a remote attacker to bypass security restrictions, caused by improper input validation. By sending a specially-crafted request, an attacker could exploit this vulnerability to set a cookie like =__Host-test=bad for another subdomain.
CVSS Base score: 2.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247553 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data 4.0.0 - 4.6.6

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by upgrading.

Product(s)|**Version(s)
**|Remediation/Fix/Instructions
—|—|—
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data| 4.7| The fix in 4.7 applies to all versions listed (4.0.0-4.6.6). Version 4.7 can be downloaded and installed from: <https://www.ibm.com/docs/en/cloud-paks/cp-data&gt;

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmwatson_assistant_for_ibm_cloud_pak_for_dataMatch4.0.0
OR
ibmwatson_assistant_for_ibm_cloud_pak_for_dataMatch4.6.6

3.5 Low

CVSS3

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

0.001 Low

EPSS

Percentile

21.7%