Lucene search

IBM7B459927A24ED35F510CAB0005F98F8E144BB239430528EB8EC77F3D0EB1372D

HistoryJan 12, 2023 - 9:59 p.m.

Security Bulletin: A jwt-go vulnerability affects IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data (CVE-2020-26160)

2023-01-1221:59:00

www.ibm.com

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.002 Low

EPSS

Percentile

56.4%

JSON

Summary

A vulnerability in jwt-go affects IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data. Please see below for steps to address this issue.

Vulnerability Details

CVEID:CVE-2020-26160
**DESCRIPTION:**jwt-go could allow a remote attacker to bypass security restrictions, caused by a type assertion failure when m[“aud”] happens to be []string{}. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass access restrictions.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/189408 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data	4.0.0 - 4.0.6

Remediation/Fixes

Please install IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data, version 4.0.7. This version can be obtained here:

<https://www.ibm.com/docs/en/cloud-paks/cp-data/4.0?topic=overview-whats-new>

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm speech to text for ibm cloudeq4.0.0
ibm speech to text for ibm cloudeq4.0.6

CPE	Name	Operator	Version
	ibm speech to text for ibm cloud	eq	4.0.0
	ibm speech to text for ibm cloud	eq	4.0.6

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.002 Low

EPSS

Percentile

56.4%

JSON

Related for 7B459927A24ED35F510CAB0005F98F8E144BB239430528EB8EC77F3D0EB1372D