Summary Watson Machine Learning Accelerator on Cloud Pak for Data had an internal dependency on Grafana. Grafana dependency is now removed. Grafana component is no longer used or shipped with Watson Machine Learning Accelerator on Cloud Pak for Data. This bulletin identifies the steps to take to address the vulnerability. Vulnerability Details ** CVEID: CVE-2022-39302 DESCRIPTION: **Ree6 could allow a remote attacker to bypass security restrictions, caused by containing a channel from other server for sending log messages. By using a specially crafted Log-Message, an attacker could exploit this vulnerability to bypass raid and spam protections. CVSS Base score: 5.4 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/241438 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N) ** CVEID: CVE-2022-32276 DESCRIPTION: **Grafana could allow a remote attacker to bypass security restrictions, caused by improper access control. By sending a specially-crafted request for snapshot query using random key parameters, an attacker could exploit this vulnerability to gain access to the system dashboard area by going through the login page. CVSS Base score: 6.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/228383 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) ** CVEID: CVE-2022-31123 DESCRIPTION: **Grafana could allow a local authenticated attacker to bypass…Read More
References
Back to Main