SB2022062218 - Multiple vulnerabilities in IBM Watson Explorer
Published: June 22, 2022
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Improper Authentication (CVE-ID: CVE-2022-22475)
The vulnerability allows a remote user to escalate privileges within the application.
The vulnerability exists due to an unspecified error. A remote authenticated user can spoof identity of other application users.
2) Spoofing attack (CVE-ID: CVE-2021-39038)
The vulnerability allows a remote attacker to perform clickjacking attack.
The vulnerability exists due to incorrect processing of user-supplied data, when REST API discovery is configured through the WebSphere administrative console Web Container settings to enable the API Discovery service, or through IBM WebSphere Application Server Liberty features mpOpenAPI-1.0, mpOpenAPI-1.1, mpOpenAPI-2.0, apiDiscovery-1.0, openapi-3.0 or openapi-3.1. A remote attacker can perform clickjacking attack.
Remediation
Install update from vendor's website.
References
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-websphere-application-server-and-websphere-application-server-liberty-affect-ibm-watson-explorer-cve-2022-22475-cve-2021-39038/"
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-websphere-application-server-and-websphere-application-server-liberty-affect-ibm-watson-explorer-cve-2022-22475-cve-2021-39038/</a><br><a
- https://www.ibm.com/support/pages/node/6591057"
- https://www.ibm.com/support/pages/node/6591057</a><br><br><br></p>