Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Rails

Vulnerability Details

CVEID:   CVE-2020-8163
DESCRIPTION:   Rails could allow a remote attacker to execute arbitrary code on the system, caused by a code injection vulnerability. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/184567 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:   CVE-2020-8185
DESCRIPTION:   Rails is vulnerable to a denial of service, caused by improper access control. By sending a specially crafted request, a remote attacker could exploit this vulnerability to run pending migrations in production.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/184564 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:   CVE-2020-8166
DESCRIPTION:   Ruby on Rails is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input by authenticity_token meta tag. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to perform unintended actions. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/184553 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)