SB2024022730 - Multiple vulnerabilities in IBM Watson Machine Learning Accelerator on Cloud Pak for Data
Published: February 27, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 31 vulnerabilities.
1) Incorrect Regular Expression (CVE-ID: CVE-2021-27290)
CWE-ID: CWE-185 - Incorrect Regular Expression
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to incorrect processing of SRIs. A remote attacker can pass specially crafted input to the application and perform regular expression denial of service (ReDoS) attack.
2) Cryptographic issues (CVE-ID: CVE-2020-13822)
CWE-ID: CWE-310 - Cryptographic Issues
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to comrpomise the target system.
The vulnerability exists due to the affected software allows ECDSA signature malleability via variations in encoding, leading "\0" bytes, or integer overflows. A remote attacker can cause a security-relevant impact if an application relied on a single canonical signature.
3) Resource management error (CVE-ID: CVE-2015-8855)
CWE-ID: CWE-399 - Resource Management Errors
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the application. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.
4) Use of a broken or risky cryptographic algorithm (CVE-ID: CVE-2020-28498)
CWE-ID: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to cryptographic issues in the secp256k1 implementation in elliptic/ec/key.js. A remote attacker can pass specially crafted public key point to the application and gain access to sensitive information.
5) Resource exhaustion (CVE-ID: CVE-2021-32640)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources in the "Sec-Websocket-Protocol" header. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
6) Prototype Pollution (CVE-ID: CVE-2020-7608)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/U:Green
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to improper input validation. A remote attacker can send a specially crafted request and add or modify properties of Object.prototype using a "__proto__" payload.
7) Path traversal (CVE-ID: CVE-2021-37713)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to overwrite arbitrary files on the system.
The vulnerability exists due insufficient logic on Windows systems when extracting tar files that contained a path that
was not an absolute path, but specified a drive letter different from
the extraction target, such as C:some\path. If the drive letter does not match the extraction target, for example D:\extraction\dir, then the result of path.resolve(extractionDirectory, entryPath) would resolve against the current working directory on the C: drive, rather than the extraction target directory.
8) Absolute Path Traversal (CVE-ID: CVE-2021-32803)
CWE-ID: CWE-36 - Absolute Path Traversal
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to overwrite arbitrary files on the system.
The vulnerability exists due to a logic issue when extracting tar files that contained both a directory
and a symlink with the same name as the directory. This order of
operations resulted in the directory being created and added to the node-tar
directory cache. When a directory is present in the directory cache,
subsequent calls to mkdir for that directory are skipped. However, this
is also where node-tar checks for symlinks occur.
By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar
symlink checks on directories, essentially allowing an untrusted tar
file to symlink into an arbitrary location and subsequently extracting
arbitrary files into that location, thus allowing arbitrary file
creation and overwrite.
9) Deserialization of Untrusted Data (CVE-ID: CVE-2020-7660)
CWE-ID: CWE-502 - Deserialization of Untrusted Data
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data in the function "deleteFunctions" within "index.js". A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
10) Improper input validation (CVE-ID: CVE-2021-23440)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The vulnerability exists due to improper input validation within the Policy (set-value) component in Oracle Communications Cloud Native Core Policy. A remote non-authenticated attacker can exploit this vulnerability to execute arbitrary code.
11) Input validation error (CVE-ID: CVE-2016-1000232)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to the regular expression parsing flaw in HTTP request cookie header parsing. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
12) Prototype pollution (CVE-ID: CVE-2020-7788)
CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper input validation when handling INI files. A remote attacker can pass a specially crafted INI file to the application and perform prototype pollution attacks.
13) Exposure of Resource to Wrong Sphere (CVE-ID: CVE-2019-20149)
CWE-ID: CWE-668 - Exposure of resource to wrong sphere
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to modify files on the system.
The vulnerability exists due to ctorName in index.js in kind-of allows external user input to overwrite certain internal attributes via a conflicting name. A remote unauthenticated attacker can send a specially crafted payload to overwrite builtin attribute and manipulate the type detection result.
14) Resource exhaustion (CVE-ID: CVE-2021-35065)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when processing regular expressions. A remote attacker can trigger resource exhaustion and perform a regular expression denial of service (ReDoS) attack.
15) Resource exhaustion (CVE-ID: CVE-2021-44906)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trick the library into adding or modifying the properties of Object.prototype, using a constructor or __proto__ payload, resulting in prototype pollution and loss of confidentiality, availability, and integrity.
16) Code Injection (CVE-ID: CVE-2021-3918)
CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The disclosed vulnerability allows a remote attacker to execute arbitrary code on the system.
The vulnerability exists due to insufficient sanitization of user-supplied data during the validation of a JSON object. A remote attacker can pass a specially crafted JSON file for validation and execute arbitrary code.
17) Path traversal (CVE-ID: CVE-2021-37701)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to overwrite arbitrary files on the system.
The vulnerability exists due to input validation error when extracting tar files that contained both a directory and a symlink with
the same name as the directory, where the symlink and directory names in
the archive entry used backslashes as a path separator on posix
systems. A remote attacker can create a specially crafted archive and overwrite arbitrary files on the system.
18) Infinite loop (CVE-ID: CVE-2019-20922)
CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop when processing specially-crafted templates. A remote attacker can consume all available system resources and cause denial of service conditions.
19) Resource exhaustion (CVE-ID: CVE-2020-8116)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/U:Green
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to prototype pollution. A remote authenticated attacker can modify the prototype of a base object which can vary in severity depending on the implementation (DoS, access to sensitive data, RCE).
20) OS Command Injection (CVE-ID: CVE-2020-7789)
CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation. A remote unauthenticated attacker can pass specially crafted data to the application and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
21) Incorrect Regular Expression (CVE-ID: CVE-2021-23364)
CWE-ID: CWE-185 - Incorrect Regular Expression
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation when processing regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.
22) Prototype pollution (CVE-ID: CVE-2020-7598)
CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can inject and execute arbitrary script code.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
23) Incorrect Regular Expression (CVE-ID: CVE-2020-28469)
CWE-ID: CWE-185 - Incorrect Regular Expression
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to incorrect handling of user-supplied input in regular expression. A remote attacker can pass specially crafted input to the application and perform regular expression denial of service (ReDoS) attack.
24) Prototype Pollution (CVE-ID: CVE-2021-23383)
CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation when selecting certain compiling options to compile templates. A remote attacker can execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
25) Absolute Path Traversal (CVE-ID: CVE-2021-32804)
CWE-ID: CWE-36 - Absolute Path Traversal
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to overwrite arbitrary files on the system.
The vulnerability exists due to a logic issue when file paths contained repeated path roots such as ////home/user/.bashrc. node-tar
would only strip a single path root from such paths. When given an
absolute file path with repeating path roots, the resulting path (e.g. ///home/user/.bashrc) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite.
26) Cross-site scripting (CVE-ID: CVE-2019-20920)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
27) Prototype pollution (CVE-ID: CVE-2019-19919)
CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. Templates may alter an Object's __proto__ and __defineGetter__ properties, which may allow an attacker to execute arbitrary code through crafted payloads.
28) Code Injection (CVE-ID: CVE-2021-23369)
CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation. A remote attacker can send a specially crafted request and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
29) Path traversal (CVE-ID: CVE-2021-37712)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when extracting tar files that contained two directories and a symlink
with names containing unicode values that normalized to the same value. A remote attacker can create a specially crafted archive that, when extracted, can overwrite arbitrary files on the system.
30) Type Confusion (CVE-ID: CVE-2021-23807)
CWE-ID: CWE-843 - Type confusion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error when the pointer components are arrays. A remote attacker can bypass of a previous Prototype Pollution fix when the pointer components are arrays.
31) Input validation error (CVE-ID: CVE-2017-1000048)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.
Remediation
Install update from vendor's website.