Lucene search

IBM20209226CF708BF44C7840FD584A6E597BB42A22FD1DED4CB30C9CB82F0400F6

HistoryAug 17, 2023 - 5:48 p.m.

Security Bulletin: Security Vulnerabilities affect IBM Cloud Pak for Data - Golang (CVE-2020-24553)

2023-08-1717:48:04

www.ibm.com

ibm cloud pak

golang

cross-site scripting

vulnerability

patch

ibm cloud pak for data v2.5

ibm cloud pak for data v3.0.0

ibm cloud pak for data v3.0.1

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.006

Percentile

79.0%

JSON

Summary

Security Vulnerabilities affect IBM Cloud Pak for Data - Golang (CVE-2020-24553)

Vulnerability Details

CVEID:CVE-2020-24553
**DESCRIPTION:**Golang Go is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the CGI/FCGI handlers. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 7.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/187776 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
CP4D	2.5
CP4D	3.0

Remediation/Fixes

Patch:
<https://www.ibm.com/support/pages/node/6327429>
Users of IBM Cloud Pak for Data V2.5 are advised to:
Apply IBM Cloud Pak for Data V2.5 cpd-2.5.0.0-lite-patch-6
Users of IBM Cloud Pak for Data V3.0.0 and V3.0.1 are advised to:
Apply IBM Cloud Pak for Data V3.0.1 cpd-3.0.1-lite-patch-5

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmcloud_pak_for_dataMatch2.5.0

ibmcloud_pak_for_dataMatch3.0.0

VendorProductVersionCPE
ibmcloud_pak_for_data2.5.0cpe:2.3:a:ibm:cloud_pak_for_data:2.5.0:*:*:*:*:*:*:*
ibmcloud_pak_for_data3.0.0cpe:2.3:a:ibm:cloud_pak_for_data:3.0.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	cloud_pak_for_data	2.5.0	cpe:2.3:a:ibm:cloud_pak_for_data:2.5.0:::::::*
ibm	cloud_pak_for_data	3.0.0	cpe:2.3:a:ibm:cloud_pak_for_data:3.0.0:::::::*