SB2023122253 - Multiple vulnerabilities in Watson Machine Learning Accelerator on Cloud Pak for Data

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2023122253

SB2023122253 - Multiple vulnerabilities in Watson Machine Learning Accelerator on Cloud Pak for Data

Published: December 22, 2023 Updated: October 25, 2024

Security Bulletin ID SB2023122253
Severity
High
Patch available
YES
Number of vulnerabilities 12
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 8% Medium 75% Low 17%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 12 secuirty vulnerabilities.


1) Information disclosure (CVE-ID: CVE-2021-23566)

The vulnerability allows a local attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application in the valueOf() function. A local attacker can gain unauthorized access to sensitive information on the system.


2) Input validation error (CVE-ID: CVE-2018-25031)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can trick the victim into opening a specially crafted URL to display remote OpenAPI definitions.


3) Command Injection (CVE-ID: CVE-2021-23337)

The vulnerability allows a remote user to execute arbitrary commands on the system.

The vulnerability exists due to improper input validation when processing templates. A remote privileged user can inject and execute arbitrary commands on the system.


4) Prototype pollution (CVE-ID: CVE-2018-16487)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation within the merge, mergeWith, and defaultsDeep functions. A remote attacker can send a specially crafted request and add or modify properties of Object.prototype.

Successful exploitation of this vulnerability may result in complete compromise of the affected application.


5) Prototype polution (CVE-ID: CVE-2020-8203)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data when using _.zipObjectDeep in lodash. A remote attacker can inject and execute arbitrary script code.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


6) Code Injection (CVE-ID: CVE-2019-10744)

The vulnerability allows a remote attacker to modify properties on the target system.

The vulnerability exists due to improper input validation in the "defaultsDeep" function. A remote attacker can send a specially crafted request and modify the prototype of "Object" via "{constructor: {prototype: {...}}}" causing the addition or modification of an existing property that will exist on all objects.



7) Resource exhaustion (CVE-ID: CVE-2019-1010266)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to the software does not properly parse user-supplied input in the Date Handler component. A remote authenticated attacker can send long strings that submit malicious input, which the library attempts to match using a regular expression and consume excessive amounts of CPU resources and cause a DoS condition.


8) Input validation error (CVE-ID: CVE-2018-3721)

The vulnerability allows a remote authenticated user to manipulate data.

lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.


9) Input validation error (CVE-ID: CVE-2021-3807)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input when matching crafted invalid ANSI escape codes in ansi-regex. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.


10) Incorrect Regular Expression (CVE-ID: CVE-2021-23343)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation in splitDeviceRe, splitTailRe, and splitPathRe regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.


11) Prototype pollution (CVE-ID: CVE-2020-15366)

The disclosed vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can inject and execute arbitrary script code.


12) Improper Restriction of Rendered UI Layers or Frames (CVE-ID: CVE-2021-46708)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can trick the victim into opening a specially crafted URL to hijack the victim's click actions and possibly launch further attacks against the victim.


Remediation

Install update from vendor's website.

References