SB2024022823 - Multiple vulnerabilities in IBM Watson Machine Learning Accelerator on Cloud Pak for Data
Published: February 28, 2024 Updated: February 21, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 28 secuirty vulnerabilities.
1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2022-24812)
The vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to a design error related to caching of API keys and privilege management. When fine-grained access control is enabled and a client uses Grafana API Key to make requests, the permissions for that API Key are cached for 30 seconds for the given organization. Because of the way the cache ID is constructed, the consequent requests with any API Key evaluate to the same permissions as the previous requests.
As a result, if the first request is made with Admin permissions, and the second request with different API Key is
made with Viewer permissions, the second request will get the cached
permissions from the previous Admin request, resulting in privilege escalation.
2) Information disclosure (CVE-ID: CVE-2022-21673)
The vulnerability allows a remote user to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application. A remote user can pass a specially crafted query to the data source with an API token and Forward OAuth Identity feature enabled to gain unauthorized access to sensitive information on the system.
3) Path traversal (CVE-ID: CVE-2021-43813)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.
4) Path traversal (CVE-ID: CVE-2021-43798)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences, passed after the "/public/plugins/" URL. A remote non-authenticated attacker can send a specially crafted HTTP request and read arbitrary files on the system.
5) Information disclosure (CVE-ID: CVE-2022-39201)
The vulnerability allows a remote user to gain access to potentially sensitive information.
The vulnerability exists due to Grafana leaks the authentication cookie of users to plugins. A remote user can gain unauthorized access to sensitive information.
6) Cross-site scripting (CVE-ID: CVE-2022-21702)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in Grafana. A remote attacker can trick the victim to visit a specially crafted link, execute arbitrary HTML code, and perform a Cross-site scripting (XSS) attack.
7) SQL injection (CVE-ID: CVE-2022-39303)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
8) Incorrect authorization (CVE-ID: CVE-2021-41244)
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to improper access control in fine-grained access control feature. A remote user with an admin role in one organization can list, add, remove, and update users’ roles in other organizations in which he is not an admin.
9) Missing Authentication for Critical Function (CVE-ID: CVE-2022-31176)
The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote user can bypass implemented security restrictions and gain unauthorized access to the application.
10) Missing Authentication for Critical Function (CVE-ID: CVE-2022-28660)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to the querier component in Grafana Enterprise does not require authentication when X-Scope-OrgID is used. A remote attacker can trigger the vulnerability and execute arbitrary code on the target system.
11) Input validation error (CVE-ID: CVE-2022-29170)
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to insufficient validation of user-supplied input when processing HTTP Host header during redirection. A remote attacker can perform spoofing attack.
12) Authentication bypass using an alternate path or channel (CVE-ID: CVE-2022-35957)
The vulnerability allows a remote user to escalate privileges within the application.
The vulnerability exists due to the way Grafana handles authorization process when Auth proxy authentication is used. A remote user with admin privileges can authenticate as Server Admin by providing the username (or email) in a X-WEBAUTH-USER HTTP header.
13) Active Debug Code (CVE-ID: CVE-2022-46156)
The vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to authentication token used to communicate with the Synthetic Monitoring API is exposed through a debugging endpoint. A local user can gain unauthorized access to sensitive information on the system.
14) Authorization bypass through user-controlled key (CVE-ID: CVE-2022-21713)
The vulnerability allows a remote user to gain access to sensitive information.
The vulnerability exists due to an Insecure Direct Object Reference (IDOR) error in Grafana Teams APIs. A remote authenticated user can view unintended data by querying for the specific team ID or search for teams and see the total number of available teams.
15) Improper Authentication (CVE-ID: CVE-2022-39229)
The vulnerability allows a remote attacker to deny access to the application.
The vulnerability exists due to a logic error in the authentication process, where application allows usage of the same email address by different accounts. A remote user can set an existing email address that belongs to another user as their username and prevent that user from accessing the application.
16) Improper Authentication (CVE-ID: CVE-2022-31107)
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error in OAuth implementation routine. A remote attacker can bypass authentication process and login under arbitrary account.
17) Path traversal (CVE-ID: CVE-2021-43815)
The vulnerability allows a remote user to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing .csv files. A remote user can send a specially crafted HTTP request and read arbitrary files on the system.
18) Information disclosure (CVE-ID: CVE-2022-26148)
The vulnerability allows a remote user to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application when Grafana is integrated with Zabbix. A remote user can find Zabbix password in the api_jsonrpc.php HTML source code and gain unauthorized access to sensitive information on the system.
19) Path traversal (CVE-ID: CVE-2022-32275)
The vulnerability allows a remote user to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A remote user can send a specially crafted HTTP request and read arbitrary files on the system.
Exploitation example:
/dashboard/snapshot/%7B%7Bconstructor.constructor'/.. /.. /.. /.. /.. /.. /.. /.. /etc/passwd
20) Input validation error (CVE-ID: CVE-2022-39306)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to insufficient validation of user-supplied input. A remote user can use the invitation link to sign up with an arbitrary username/email with a malicious intent.
21) Stored cross-site scripting (CVE-ID: CVE-2022-31097)
The disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
22) Information disclosure (CVE-ID: CVE-2022-39307)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application when using the forget password on the login page. A remote attacker can gain unauthorized access to sensitive information on the system.
23) Cross-site request forgery (CVE-ID: CVE-2022-21703)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim into inviting the attacker as a new user with high privileges to escalate privileges.
24) Cleartext storage of sensitive information (CVE-ID: CVE-2021-41090)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to inline secrets defined within a metrics instance config are exposed in plaintext over two endpoints. A remote attacker can gain unauthorized access to sensitive information on the system.
25) Race condition (CVE-ID: CVE-2022-39328)
The vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to a race condition in the Grafana codebase. A remote attacker can exploit the race and gain unauthorized access to sensitive information and escalate privileges on the system.
26) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2022-36062)
The vulnerability allows a remote user to escalate privileges on the system.
The vulnerability exists due to application does not properly impose security restrictions, which leads to security restrictions bypass and privilege escalation.
27) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2022-31123)
The vulnerability allows a remote attacker to compromise the affected instance.
The vulnerability exists due to missing signature verification mechanism. A remote attacker can trick the server admin into installing a malicious plugin even though unsigned plugins are not allowed.
28) Incorrect authorization (CVE-ID: CVE-2022-39302)
The vulnerability allows a remote user to bypass security restrictions.
The vulnerability exists due to insufficient validation of user-supplied input. A remote user can send a specifically crafted log message to the application to create configurations such as "Better-Audit-Logging" which contain a channel from another server as a target.
Remediation
Install update from vendor's website.