Lucene search

IBM7B459927A24ED35F510CAB0005F98F8E144BB239430528EB8EC77F3D0EB1372D

HistoryJan 12, 2023 - 9:59 p.m.

Security Bulletin: A jwt-go vulnerability affects IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data (CVE-2020-26160)

2023-01-1221:59:00

www.ibm.com

jwt-go

ibm watson speech services cartridge

ibm cloud pak for data

cve-2020-26160

type assertion failure

remote attackers

security restrictions

affected versions

upgrade

4.0.7

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.002 Low

EPSS

Percentile

57.0%

JSON

Summary

A vulnerability in jwt-go affects IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data. Please see below for steps to address this issue.

Vulnerability Details

CVEID:CVE-2020-26160
**DESCRIPTION:**jwt-go could allow a remote attacker to bypass security restrictions, caused by a type assertion failure when m[“aud”] happens to be []string{}. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass access restrictions.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/189408 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data	4.0.0 - 4.0.6

Remediation/Fixes

Please install IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data, version 4.0.7. This version can be obtained here:

<https://www.ibm.com/docs/en/cloud-paks/cp-data/4.0?topic=overview-whats-new>

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmspeech_to_textMatch4.0.0

ibmspeech_to_textMatch4.0.6

CPENameOperatorVersion
ibm speech to text for ibm cloudeq4.0.0
ibm speech to text for ibm cloudeq4.0.6

CPE	Name	Operator	Version
	ibm speech to text for ibm cloud	eq	4.0.0
	ibm speech to text for ibm cloud	eq	4.0.6

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.002 Low

EPSS

Percentile

57.0%

JSON

Related for 7B459927A24ED35F510CAB0005F98F8E144BB239430528EB8EC77F3D0EB1372D