Security Bulletin
Summary
Multiple vulnerabilities in TensorFlow have been identified that may affect IBM Watson Assistant for IBM Cloud Pak for Data. The vulnerabilities have been addressed. Refer to details for additional information.
Vulnerability Details
CVEID: CVE-2023-25658
DESCRIPTION: TensorFlow is vulnerable to a denial of service, caused by an out-of-bounds read in GRUBlockCellGrad. A remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/251019 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2023-25659
DESCRIPTION: TensorFlow is vulnerable to a denial of service, caused by an out-of-bounds read when the indices parameter in DynamicStitch does not match the data parameter. A remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/251018 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2023-25660
DESCRIPTION: TensorFlow is vulnerable to a denial of service, caused by a segmentation fault when the summarize parameter in tf.raw_ops.Print is zero. A remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/251017 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2023-25661
DESCRIPTION: TensorFlow is vulnerable to a denial of service, caused by improper input validation by the Convolution3DTranspose function. By sending a specially crafted input, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition on ML cloud services.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/251123 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2023-25662
DESCRIPTION: TensorFlow is vulnerable to a denial of service, caused by an integer overflow in EditDistance. A remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/251016 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2023-25663
DESCRIPTION: TensorFlow is vulnerable to a denial of service, caused by a NULL pointer dereference in the Lookup function when ctx->step_containter() is a NULL pointer. A remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/251015 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2023-25664
DESCRIPTION: TensorFlow is vulnerable to a denial of service, caused by a heap-based buffer overflow in TAvgPoolGrad. A remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/251014 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2023-25665
DESCRIPTION: TensorFlow is vulnerable to a denial of service, caused by a NULL pointer dereference when SparseSparseMaximum is given invalid sparse tensors as inputs. A remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/251013 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2023-25666
DESCRIPTION: TensorFlow is vulnerable to a denial of service, caused by a floating point exception in AudioSpectrogram. A remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/251012 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2023-25668
DESCRIPTION: TensorFlow could allow a remote attacker to execute arbitrary code on the system, caused by a heap-based buffer overflow. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system or cause a denial of service.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/251008 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2023-25676
DESCRIPTION: TensorFlow is vulnerable to a denial of service, caused by a NULL pointer dereference in tf.raw_ops.ParallelConcat when running XLA. By sending a specially-crafted request using the shape parameter, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/250996 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2023-25801
DESCRIPTION: TensorFlow could allow a local attacker to execute arbitrary code on the system, caused by a double-free in nn_ops.fractional_avg_pool_v2 and nn_ops.fractional_max_pool_v2. By sending a specially-crafted request using the pooling_ratio parameter, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/250995 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H)
CVEID: CVE-2023-25672
DESCRIPTION: TensorFlow is vulnerable to a denial of service, caused by a NULL pointer dereference in tf.raw_ops.LookupTableImportV2. By sending a specially-crafted request using the values parameter, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/251002 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2023-25670
DESCRIPTION: TensorFlow is vulnerable to a denial of service, caused by a NULL pointer dereference in QuantizedMatMulWithBiasAndDequantize when MKL is enabled. A remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/251005 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2023-25675
DESCRIPTION: TensorFlow is vulnerable to a denial of service, caused by a segmentation fault in tf.raw_ops.Bincount when running XLA. By sending a specially-crafted request using the weights parameter, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/250998 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2023-25667
DESCRIPTION: TensorFlow is vulnerable to a denial of service, caused by an integer overflow when 2^31 <= num_frames * height * width * channels < 2^32. A remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/251011 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2023-27579
DESCRIPTION: TensorFlow is vulnerable to a denial of service, caused by a floating point exception when a tflite model with a paramater filter_input_channel of less than 1 is constructed. A remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/251021 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2023-25674
DESCRIPTION: TensorFlow is vulnerable to a denial of service, caused by a NULL pointer dereference in RandomShuffle when XLA is enabled. A remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/251000 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2023-25673
DESCRIPTION: TensorFlow is vulnerable to a denial of service, caused by a floating point exception in TensorListSplit when XLA is enabled. A remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/251001 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2023-25669
DESCRIPTION: TensorFlow is vulnerable to a denial of service, caused by a floating point exception in tf.raw_ops.AvgPoolGrad when the stride and window size are not positive. A remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/251007 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2023-25671
DESCRIPTION: TensorFlow is vulnerable to a denial of service, caused by an out-of-bounds read in ValueMap::Manager::GetValueOrCreatePlaceholder. A remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/251004 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-41887
DESCRIPTION: TensorFlow is vulnerable to a denial of service, caused by a buffer overflow in the tf.keras.losses.poisson function. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240384 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-41907
DESCRIPTION: TensorFlowx is vulnerable to a denial of service, caused by a buffer overflow in the tf.raw_ops.ResizeNearestNeighborGrad function. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240396 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-41902
DESCRIPTION: TensorFlow could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an out-of-bounds write flaw in MakeGrapplerFunctionItem function in grappler. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code or cause the application to crash.
CVSS Base score: 7.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/241459 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H)
CVEID: CVE-2022-41901
DESCRIPTION: TensorFlow is vulnerable to a denial of service, caused by a CHECK_EQ fail via inputs in the SparseMatrixNNZ function. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240400 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-41900
DESCRIPTION: TensorFlow could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a heap out-of-bounds write flaw in the FractionalMaxPool and FractionalAvgPool functions. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.
CVSS Base score: 7.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240397 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H)
CVEID: CVE-2022-41899
DESCRIPTION: TensorFlow is vulnerable to a denial of service, caused by a CHECK fail via inputs in the SdcaOptimizer function. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240395 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-41898
DESCRIPTION: TensorFlow is vulnerable to a denial of service, caused by a CHECK fail via inputs in the SparseFillEmptyRowsGrad function. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240394 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-41908
DESCRIPTION: TensorFlowx is vulnerable to a denial of service, caused by a 'CHECK' fail in tf.raw_ops.PyFunc. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240398 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-41897
DESCRIPTION: TensorFlow is vulnerable to a denial of service, caused by a heap out-of-bounds read flaw in the FractionalMaxPoolGrad function. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240393 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-41895
DESCRIPTION: TensorFlow is vulnerable to a denial of service, caused by a heap out-of-bounds read flaw in the MirrorPadGrad function. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240391 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-41893
DESCRIPTION: TensorFlow is vulnerable to a denial of service, caused by a CHECK_EQ fail in the tf.raw_ops.TensorListResize function. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240389 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-41891
DESCRIPTION: TensorFlow is vulnerable to a denial of service, caused by a segment fault in the tf.raw_ops.TensorListConcat function due to improper input validation. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240388 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-41890
DESCRIPTION: TensorFlow is vulnerable to a denial of service, caused by a CHECK` fail in BCast overflow. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240387 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-41889
DESCRIPTION: TensorFlowis vulnerable to a denial of service, caused by a segfault in the pywrap_tfe_src.cc function. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240386 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-41888
DESCRIPTION: TensorFlow is vulnerable to a denial of service, caused by a FPE in the tf.image.generate_bounding_box_proposals function. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240385 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-41896
DESCRIPTION: TensorFlow is vulnerable to a denial of service, caused by improper input validation by the tf.raw_ops.Mfcc function. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240392 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-41909
DESCRIPTION: TensorFlowx is vulnerable to a denial of service, caused by segmentation fault in tf.raw_ops.CompositeTensorVariantToComponents function. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240399 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-41910
DESCRIPTION: TensorFlow is vulnerable to a denial of service, caused by a heap-based buffer overflow in the MakeGrapplerFunctionItem function in QuantizeAndDequantizeV2. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/241461 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-41911
DESCRIPTION: TensorFlowx is vulnerable to a denial of service, caused by invalid char to bool conversion when printing a tensor. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240401 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-41886
DESCRIPTION: TensorFlow is vulnerable to a denial of service, caused by a buffer overflow in the ImageProjectiveTransformV2 function. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240383 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-41884
DESCRIPTION: TensorFlow is vulnerable to a denial of service, caused by a segment fault in the ndarray_tensor_bridge function due to improper input validation. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240381 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-41880
DESCRIPTION: TensorFlow could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an out-of-bounds read flaw when receiving a value in true_classes larger than range_max in the BaseCandidateSamplerOp function. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.
CVSS Base score: 6.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240379 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:H)
CVEID: CVE-2022-41894
DESCRIPTION: TensorFlow is vulnerable to a buffer overflow, caused by improper bounds checking by the CONV_3D_TRANSPOSE function on TFLite. By sending a specially-crafted request, a remote attacker could overflow a buffer and execute arbitrary code or cause a denial of service condition on the system.
CVSS Base score: 7.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240390 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H)
CVEID: CVE-2022-32287
DESCRIPTION: Apache UIMA could allow a remote attacker to traverse directories on the system, caused by improper validation of user supplied input in a FileUtil class used by the PEAR management component. An attacker could use a specially-crafted archive file containing "dot dot" sequences (/../) to create files outside the designated target directory using carefully crafted ZIP entry names.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/239434 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
CVEID: CVE-2023-25577
DESCRIPTION: Pallets Werkzeug is vulnerable to a denial of service, caused by a flaw when parsing multipart form data with many fields. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247557 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2023-23934
DESCRIPTION: Pallets Werkzeug could allow a remote attacker to bypass security restrictions, caused by improper input validation. By sending a specially-crafted request, an attacker could exploit this vulnerability to set a cookie like =__Host-test=bad for another subdomain.
CVSS Base score: 2.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247553 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
| IBM Watson Assistant for IBM Cloud Pak for Data | 4.0.2, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.0.8, 4.5.1, 4.5.3, 4.6. 4.6.2, 4.6.3 |
Remediation/Fixes
For all affected versions, IBM strongly recommends addressing the vulnerability now by upgrading to the latest (v4.7.0 or later releases) release of IBM Watson Assistant for IBM Cloud Pak for Data which maintains backward compatibility with the versions listed above.
| Product Latest Version | Remediation/Fix/Instructions |
| IBM Watson Assistant for IBM Cloud Pak for Data 4.7.0 |
Follow instructions for Installing Watson Assistant in Link to Release (v4.7.0 release information) |
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
Acknowledgement
Change History
06 Jul 2023: Initial Publication
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
06 July 2023
UID
ibm17010075