Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a sensitive information exposure in golang-jwt [CVE-2024-51744]

Summary IBM Watson Speech Services Cartridge is vulnerable to a sensitive information exposure in golang-jwt, caused by improper error handling in ParseWithClaims [CVE-2024-51744]. Golang-jwt is used in our Watson Speech Utilities. This vulnerabilitiy has been addressed. Please read the details for remediation below. Vulnerability Details CVEID:CVE-2024-51744 DESCRIPTION: golang-jwt jwt-go could allow a remote attacker to obtain sensitive information, caused by improper error handling in ParseWithClaims. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system. CWE:CWE-755: Improper Handling of Exceptional Conditions CVSS Source: IBM X-Force CVSS Base score: 3.1 CVSS Vector:(CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N) Affected Products and Versions Affected Product(s)| Version(s) —|— IBM Watson Speech Services Cartridge | 4.0.0 – 5.1.0 Remediation/Fixes Product(s)| Version(s)| Remediation/Fix/Instructions —|—|— IBM Watson Speech Services Cartridge| 5.1.1| The fix in 5.1.1 applies to all versions listed (4.0.0-5.1.0). Version 5.1.1 can be downloaded and installed from: https://www.ibm.com/docs/en/cloud-paks/cp-data Workarounds and Mitigations…Read More