Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Go

2020-12-0904:42:21

www.ibm.com

ibm watson discovery

ibm cloud pak for data

vulnerability

cross-site scripting

cgi/fcgi handlers

remote attacker

malicious script

web page

authentication credentials

upgrade

fix

EPSS

0.006

Percentile

79.0%

JSON

Summary

IBM Watson Discovery for IBM Cloud Pak for Data contains a vulnerable version of Go.

Vulnerability Details

CVEID:CVE-2020-24553
**DESCRIPTION:**Golang Go is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the CGI/FCGI handlers. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 7.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/187776 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N)