Lucene search

K
ibmIBMA879EAE8C0CACEA00D15F9B927796F34B14E611D01FB37EA611F618E4F2CED9B
HistoryMay 03, 2023 - 2:08 p.m.

Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a denial of service in Python (CVE-2020-10735)

2023-05-0314:08:15
www.ibm.com
13
ibm watson speech services
cloud pak for data
vulnerability
denial of service
python
cve-2020-10735
security bulletin

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.3

Confidence

High

EPSS

0.006

Percentile

77.9%

Summary

IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a denial of service in Python caused by the failure to limit amount of digits converting text to int (CVE-2020-10735). Python is included as part of our runtime components. This vulnerabilitiy has been addressed. Please read the details for remediation below.

Vulnerability Details

**CVEID:**CVE-2020-10735 DESCRIPTION: Python is vulnerable to a denial of service, caused by the failure to limit amount of digits converting text to int by the int() type in PyLong_FromString(). A remote attacker could exploit this vulnerability to consume all available resources.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/235840 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data 4.0.0 - 4.6.4

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by upgrading.

Product(s)|**Version(s)
**|Remediation/Fix/Instructions
—|—|—
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data| 4.6.5| The fix in 4.6.5 applies to all versions listed (4.0.0-4.6.4). Version 4.6.5 can be downloaded and installed from: **
https://www.ibm.com/docs/en/cloud-paks/cp-data/4.6.x?topic=installing
**

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmibm_speech_to_text_for_ibm_cloudMatch4.0.0
OR
ibmibm_speech_to_text_for_ibm_cloudMatch4.6.4
VendorProductVersionCPE
ibmibm_speech_to_text_for_ibm_cloud4.0.0cpe:2.3:a:ibm:ibm_speech_to_text_for_ibm_cloud:4.0.0:*:*:*:*:*:*:*
ibmibm_speech_to_text_for_ibm_cloud4.6.4cpe:2.3:a:ibm:ibm_speech_to_text_for_ibm_cloud:4.6.4:*:*:*:*:*:*:*

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.3

Confidence

High

EPSS

0.006

Percentile

77.9%