Lucene search

IBME3C58EDFB5FF0162CE07F0C7082039A077B3682031D50A9940BA6AD01450DE2A

HistoryJan 12, 2023 - 9:59 p.m.

Security Bulletin: A vulnerability in Golang Go affects IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data (CVE-2021-29923)

2023-01-1221:59:00

www.ibm.com

golang go

ibm watson speech services cartridge

ibm cloud pak for data

cve-2021-29923

ip addresses

access control

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.002

Percentile

61.1%

JSON

Summary

A vulnerability in Golang Go before 1.17 affects IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data. (CVE-2021-29923) Please see below for details on how to remediate this issue.

Vulnerability Details

CVEID:CVE-2021-29923
**DESCRIPTION:**Golang Go could allow a remote attacker to bypass security restrictions, caused by improper consideration for extraneous zero characters at the beginning of an IP address octet. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass access control based on IP addresses.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/207025 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data	4.0.0 - 4.0.6

Remediation/Fixes

Please install IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data, version 4.0.7. This version is available here:

<https://www.ibm.com/docs/en/cloud-paks/cp-data/4.0?topic=overview-whats-new>

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmcloud_pak_for_securityMatch4.0.0

ibmcloud_pak_for_securityMatch4.0.6

VendorProductVersionCPE
ibmcloud_pak_for_security4.0.0cpe:2.3:a:ibm:cloud_pak_for_security:4.0.0:*:*:*:*:*:*:*
ibmcloud_pak_for_security4.0.6cpe:2.3:a:ibm:cloud_pak_for_security:4.0.6:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	cloud_pak_for_security	4.0.0	cpe:2.3:a:ibm:cloud_pak_for_security:4.0.0:::::::*
ibm	cloud_pak_for_security	4.0.6	cpe:2.3:a:ibm:cloud_pak_for_security:4.0.6:::::::*