Main Vulnerability Database SB2022051083

SB2022051083 - Multiple vulnerabilities in IBM Watson Assistant for IBM Cloud Pak for Data

Published: May 10, 2022 Updated: September 19, 2025

Security Bulletin ID SB2022051083

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 3

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 3 vulnerabilities.

1) Improper validation of certificate with host mismatch (CVE-ID: CVE-2021-44532)

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to improper validation of certificates, when converting SANs (Subject Alternative Names) to a string format. A remote attacker can inject special characters into the string and perform spoofing attack.

2) Improper Certificate Validation (CVE-ID: CVE-2021-44533)

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to improper validation of certificate subject and issuer fields. A remote attacker can create a certificate with specially crafted multi-value Relative Distinguished Names and perform spoofing attack.

3) Prototype pollution (CVE-ID: CVE-2022-21824)

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to the formatting logic of the console.table() function. A remote attacker can send a specially crafted request and assign an empty string to numerical keys of the object prototype.

Remediation

Install update from vendor's website.

References

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-assistant-for-ibm-cloud-pak-for-data-is-vulnerable-to-string-injection-vulnerability-due-to-node-js-cve-2021-44532-cve-2021-44532/