Code injection in IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data

Aug 2, 2023 12:00 pm Cyber Security 172

Published: 2023-08-02

Security Bulletin


This security bulletin contains one high risk vulnerability.


EUVDB-ID: #VU74574


Risk: High


CVSSv3.1:


CVE-ID: CVE-2023-24538


CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')


Exploit availability: No


Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.


The vulnerability exists due to improper input validation in html/template when handling JavaScript templates that contain backticks in code. If a template contains a Go template action within a JavaScript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary JavaScript code into the Go template.


Mitigation

Install update from vendor's website.


Vulnerable software versions

IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data : before 4.7.1


CPE2.3
External links

http://www.ibm.com/support/pages/node/7015019


Q & A


Can this vulnerability be exploited remotely?


Is there known malware, which exploits this vulnerability?




###SIDEBAR###



Support the originator by clicking the read the rest link below.
injection watson speech services cartridge cloud
Read The Rest from the original source
cybersecurity-help.cz

Related News

Be in Touch

All Rights Reserved #1 Source for Cyber Security News, Reports and Threat Intelligence
Powered By The Internet!!!!