IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data update for PostgreSQL JDBC Driver (PgJDBC)



Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2022-21724
CWE-ID CWE-665
Exploitation vector Network
Public exploit N/A
Vulnerable software
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data 
Server applications / Other server solutions

Vendor IBM Corporation

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Improper initialization

EUVDB-ID: #VU62714

Risk: Medium

CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21724

CWE-ID: CWE-665 - Improper Initialization

Exploit availability: No

Description

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to improper initialization in pgjdbc driver when handling attacker-controlled URL in connection properties as the driver does not verify if the class implements the expected interface before instantiating the class. A remote attacker can pass specially crafted URL to the affected application and execute arbitrary code in the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data : 4.0.0 - 4.0.7

CPE2.3 External links

http://www.ibm.com/support/pages/node/6575507


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###