Security Bulletin: A vulnerability in Spring Framework affects IBM Watson Machine Learning Accelerator

Summary

A vulnerability exists in Spring Framework version used by IBM Watson Machine Learning Accelerator. Spring framework upgrade to version 5.2.15 which resolves these vulnerabilities, is available on IBM Fix Central.

Vulnerability Details

CVEID:CVE-2021-22118
**DESCRIPTION:**VMware Tanzu Spring Framework could allow a local authenticated attacker to gain elevated privileges on the system, caused by a flaw in the WebFlux application. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to gain elevated privileges to read or modify files in the WebFlux application, or overwrite arbitrary files with multipart request data.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/202705 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L)

Affected Products and Versions

Remediation/Fixes

For 2.x.x versions, the fixes are in IBM Watson Machine Learning Accelerator 2.3.2. Please reference the upgrade section in <https://www.ibm.com/docs/en/cloud-paks/cp-data/3.5.0?topic=accelerator-upgrading-watson-machine-learning&gt;

Workarounds and Mitigations

None