SB2024060615 - Multiple vulnerabilities in IBM Watson Discovery

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2024060615

SB2024060615 - Multiple vulnerabilities in IBM Watson Discovery

Published: June 6, 2024

Security Bulletin ID SB2024060615
Severity
Medium
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 67% Low 33%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) Memory leak (CVE-ID: CVE-2024-1394)

The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak in the RSA encrypting/decrypting code when handling untrusted input. A remote attacker can pass specially crafted data to the application and perform denial of service attack.


2) Observable discrepancy (CVE-ID: CVE-2023-45287)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to a timing discrepancy when handling RSA based TLS key exchanges. A remote attacker can perform a Marvin attack and gain access to sensitive information.


3) Input validation error (CVE-ID: CVE-2023-45284)

The vulnerability allows a local user to bypass implemented security restrictions.

The vulnerability exists due to the IsLocal() function from the path/filepath package does not correctly detect reserved device names in some cases when executed on Windows. Reserved names followed by spaces, such as "COM1 ", and reserved names "COM" and "LPT" followed by superscript 1, 2, or 3, are incorrectly reported as local. A local user can abuse such behavior and bypass implemented security restrictions.


Remediation

Install update from vendor's website.

References