SB2024090628 - Multiple vulnerabilities in IBM watsonx.data

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2024090628

SB2024090628 - Multiple vulnerabilities in IBM watsonx.data

Published: September 6, 2024

Security Bulletin ID SB2024090628
Severity
High
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

High 50% Low 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2021-22573)

The vulnerability allows a remote user to gain access to sensitive information.

The vulnerability exists due to IDToken verifier does not verify if token is properly signed. A remote authenticated user can provide a compromised token with custom payload and gain access to sensitive information.


2) Incorrect authorization (CVE-ID: CVE-2020-7692)

The vulnerability allows a remote attacker to bypass authorization process.

The vulnerability exists due to missing support for PKCE. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized. An attacker is able to obtain the authorization code using a malicious app on the client-side and use it to gain authorization to the protected resource.


Remediation

Install update from vendor's website.

References