SB2026041039 - Multiple vulnerabilities in IBM watsonx.data

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026041039

SB2026041039 - Multiple vulnerabilities in IBM watsonx.data

Published: April 10, 2026

Security Bulletin ID SB2026041039
Severity
Medium
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Medium 80% 20%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Improper Output Neutralization for Logs (CVE-ID: CVE-2024-1681)

The vulnerability allows a remote attacker to modify data on the system.

The vulnerability exists due to excessive data output by the application. A remote attacker can send a specially crafted GET request containing a CRLF sequence in the request path to inject fake log entries into the log file.


2) Information disclosure (CVE-ID: CVE-2024-6221)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application within the "Access-Control-Allow-Private-Network" CORS header. A remote attacker can gain unauthorized access to sensitive information on the system.


3) Security features bypass (CVE-ID: CVE-2024-6839)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to improper regex path matching. The plugin prioritizes longer regex patterns over more specific ones when matching paths, which can lead to less restrictive CORS policies being applied to sensitive endpoints. A remote attacker can gain unauthorized cross-origin access to sensitive data or functionality.


4) Input validation error (CVE-ID: CVE-2024-6844)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient validation of special characters in URL. A remote attacker can bypass applied CORS restrictions and gain unauthorized access to the application. 


5) Improper Handling of Case Sensitivity (CVE-ID: CVE-2024-6866)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to usage of a case sensitive try_match() function on the attacker-controlled URI. A remote attacker can bypass implemented security checks and gain unauthorized access to sensitive data. 



Remediation

Install update from vendor's website.

References