IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to arbitrary command execution in Less, caused by a flaw with omitting shell_quote calls for LESSCLOSE in the close_altfile() function in filename.c [CVE-2022-48624]. Less is included as a Base OS package used by our Speech Services. This vulnerabilitiy has been addressed. Please read the details for remediation below.
CVEID:CVE-2022-48624
**DESCRIPTION:**less could allow a local attacker to execute arbitrary commands on the system, caused by a flaw with omitting shell_quote calls for LESSCLOSE in the close_altfile() function in filename.c. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the host operating system.
CVSS Base score: 7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/289398 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)
Affected Product(s) | Version(s) |
---|---|
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data | 4.0.0 - 4.8.5 |
Product(s)|**Version(s)
**|Remediation/Fix/Instructions
—|—|—
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data| 5.0| The fix in 5.0 applies to all versions listed (4.0.0-4.8.5). Version 5.0 can be downloaded and installed from: <https://www.ibm.com/docs/en/cloud-paks/cp-data>
None
Vendor | Product | Version | CPE |
---|---|---|---|
ibm | watson_assistant_for_ibm_cloud_pak_for_data | 4.0.0 | cpe:2.3:a:ibm:watson_assistant_for_ibm_cloud_pak_for_data:4.0.0:*:*:*:*:*:*:* |
ibm | watson_assistant_for_ibm_cloud_pak_for_data | 4.8.5 | cpe:2.3:a:ibm:watson_assistant_for_ibm_cloud_pak_for_data:4.8.5:*:*:*:*:*:*:* |