Lucene search

K
ibmIBMB7D547364728808601EACB9401BEBCCCC6C25D5AAC6DC65CB900E74761B283BA
HistoryAug 01, 2024 - 4:19 p.m.

Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to an arbitrary code execution, in Pallets Werkzeug [CVE-2024-34069]

2024-08-0116:19:42
www.ibm.com
15
ibm watson speech services
cloud pak for data
arbitrary code execution
pallets werkzeug
cve-2024-34069
remediation
version 5.0.1

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

7.7

Confidence

High

Summary

IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to an arbitrary code execution, in Pallets Werkzeug, caused by improper usage of a pathname and improper CSRF protection in the debugger[CVE-2024-34069]. Pallets Werkzeug is used by our Speech Service runtimes. This vulnerabilitiy has been addressed. Please read the details for remediation below.

Vulnerability Details

**CVEID:**CVE-2024-34069 DESCRIPTION: Pallets Werkzeug could allow a remote attacker to execute arbitrary code on the system, caused by improper usage of a pathname and improper CSRF protection in the debugger. By persuading a victim to interact with a domain and subdomain they control, enter the debugger PIN and guess a URL in the developer’s application that will trigger the debugger, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/290009 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data 4.0.0 - 5.0.0

Remediation/Fixes

Product(s)|**Version(s)
**|Remediation/Fix/Instructions
—|—|—
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data| 5.0.1| The fix in 5.0.1 applies to all versions listed (4.0.0-5.0.0). Version 5.0.1 can be downloaded and installed from: https://www.ibm.com/docs/en/cloud-paks/cp-data

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmwatson_assistant_for_ibm_cloud_pak_for_dataMatch4.0.0
OR
ibmwatson_assistant_for_ibm_cloud_pak_for_dataMatch5.0.0
VendorProductVersionCPE
ibmwatson_assistant_for_ibm_cloud_pak_for_data4.0.0cpe:2.3:a:ibm:watson_assistant_for_ibm_cloud_pak_for_data:4.0.0:*:*:*:*:*:*:*
ibmwatson_assistant_for_ibm_cloud_pak_for_data5.0.0cpe:2.3:a:ibm:watson_assistant_for_ibm_cloud_pak_for_data:5.0.0:*:*:*:*:*:*:*

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

7.7

Confidence

High