Lucene search

IBMCC0481169F034393FEA5B0CADD291567E08969DB1A86C7B8400AB0125EF670AB

HistoryFeb 05, 2024 - 8:30 p.m.

Security Bulletin: IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to urllib3 sensitive information disclosure vulnerability (CVE-2023-43804)

2024-02-0520:30:12

www.ibm.com

ibm

watson assistant

cloud pak for data

vulnerability

urllib3

sensitive information disclosure

cve-2023-43804

upgrade

remediation

security advisory

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

6.1 Medium

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

36.3%

JSON

Summary

Potential urllib3 sensitive information disclosure vulnerabilitity have been identified that may affect IBM Watson Assistant for IBM Cloud Pak for Data. The vulnerability have been addressed. Refer to details for additional information.

Vulnerability Details

CVEID:CVE-2023-43804
**DESCRIPTION:**urllib3 could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw with cookie request header not stripped during cross-origin redirects. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268192 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N)

CVEID:CVE-2023-45803
**DESCRIPTION:**urllib3 could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw with not remove the HTTP request body when an HTTP redirect response using status 303. By sending a specially crafted HTTP request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVSS Base score: 4.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/269079 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Affected Product(s)	Affected Version(s)
IBM Watson Assistant for IBM Cloud Pak for Data	All versions before v4.8.2

Remediation/Fixes

For all affected versions, IBM strongly recommends addressing the vulnerability now by upgrading to the latest (v4.8.2 or later releases) release of IBM Watson Assistant for IBM Cloud Pak for Data which maintains backward compatibility with the versions listed above.

Product Latest Version	Remediation/Fix/Instructions
IBM Watson Assistant for IBM Cloud Pak for Data 4.8.2

Follow instructions for Installing Watson Assistant in Link to Release (v4.8.2 release information)

<https://www.ibm.com/docs/en/cloud-paks/cp-data/4.8.x>

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmwatson_assistant_for_ibm_cloud_pak_for_dataMatchany

CPENameOperatorVersion
ibm watson assistant for ibm cloud pak for dataeqany

CPE	Name	Operator	Version
	ibm watson assistant for ibm cloud pak for data	eq	any

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

6.1 Medium

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

36.3%

JSON

Related for CC0481169F034393FEA5B0CADD291567E08969DB1A86C7B8400AB0125EF670AB