IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data update for jwt-go
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2020-26160 |
| CWE-ID | CWE-287 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data Server applications / Other server solutions |
| Vendor | IBM Corporation |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Improper Authentication
EUVDB-ID: #VU50809
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-26160
CWE-ID:
CWE-287 - Improper Authentication
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to improper validation when processing data passed via m["aud"]. A remote attacker can pass the []string{} string, which is allowed by the specification, however treated as an empty string and bypass authentication checks.
Install update from vendor's website.
Vulnerable software versionsIBM Watson Speech Services Cartridge for IBM Cloud Pak for Data: 4.0.0 - 4.0.7
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_watson_speech_services_cartridge_for_ibm_cloud_pak_for_data:4.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_watson_speech_services_cartridge_for_ibm_cloud_pak_for_data:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_watson_speech_services_cartridge_for_ibm_cloud_pak_for_data:4.0.2:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/6574543
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
