Multiple vulnerabilities in IBM Watson Assistant for IBM Cloud Pak for Data
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2021-3701 CVE-2021-3702 CVE-2021-4041 CVE-2022-3697 |
| CWE-ID | CWE-276 CWE-362 CWE-78 CWE-233 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
IBM Watson Assistant for IBM Cloud Pak for Data Server applications / Other server solutions |
| Vendor | IBM Corporation |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Incorrect default permissions
EUVDB-ID: #VU80855
Risk: Low
CVSSv3.1:
CVE-ID: CVE-2021-3701
CWE-ID:
Exploit availability:
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to incorrect default permissions for files and folders that are set by the application. A local user with access to the system can view contents of files and directories or modify them.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Watson Assistant for IBM Cloud Pak for Data: 1.5.0 - 4.6
Fixed software versionsCPE2.3 External links
http://www.ibm.com/support/pages/node/7009887
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
2) Race condition
EUVDB-ID: #VU80856
Risk: Low
CVSSv3.1:
CVE-ID: CVE-2021-3702
CWE-ID:
Exploit availability:
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a race condition. A local user can exploit the race and gain unauthorized access to sensitive information and escalate privileges on the system.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Watson Assistant for IBM Cloud Pak for Data: 1.5.0 - 4.6
Fixed software versionsCPE2.3 External links
http://www.ibm.com/support/pages/node/7009887
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
3) OS Command Injection
EUVDB-ID: #VU59579
Risk: Low
CVSSv3.1:
CVE-ID: CVE-2021-4041
CWE-ID:
Exploit availability:
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improper input validation in the ansible_runner.interface.run_command. A local user can pass specially crafted parameters to the command that get executed on the host operating system instead of the guest OS.
Install update from vendor's website.
Vulnerable software versionsIBM Watson Assistant for IBM Cloud Pak for Data: 1.5.0 - 4.6
Fixed software versionsCPE2.3 External links
http://www.ibm.com/support/pages/node/7009887
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
4) Improper Handling of Parameters
EUVDB-ID: #VU78492
Risk: Low
CVSSv3.1:
CVE-ID: CVE-2022-3697
CWE-ID:
Exploit availability:
DescriptionThe vulnerability allows a remote user to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application. A remote user can gain unauthorized access to sensitive information on the system.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Watson Assistant for IBM Cloud Pak for Data: 1.5.0 - 4.6
Fixed software versionsCPE2.3 External links
http://www.ibm.com/support/pages/node/7009887
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
