CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
AI Score
Confidence
High
IBM Watson Discovery for IBM Cloud Pak for Data contains a vulnerable version of Node.js
CVEID:CVE-2024-29896
**DESCRIPTION:**Node.js npm Astro-Shield module is vulnerable to script injection, caused by an error when automated CSP headers generation for SSR content is enabled and the web application serves content that can be partially controlled by external users. A remote attacker could exploit this vulnerability to “allow-listing” malicious injected resources like inlined JS, or references to external malicious scripts by the CSP headers generation feature.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/286851 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
Affected Product(s) | Version(s) |
---|---|
ICP - Discovery | 4.0.0 - 5.0.0 |
Upgrade to IBM Watson Discovery 5.0.1 and <https://cloud.ibm.com/docs/discovery-data?topic=discovery-data-install>
None
Vendor | Product | Version | CPE |
---|---|---|---|
ibm | watson_discovery | 4.0.0 | cpe:2.3:a:ibm:watson_discovery:4.0.0:*:*:*:*:*:*:* |
ibm | watson_discovery | 5.0.1 | cpe:2.3:a:ibm:watson_discovery:5.0.1:*:*:*:*:*:*:* |
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
AI Score
Confidence
High