Security Bulletin: Several vulnerabilities affect Watson Machine Learning Accelerator on Cloud Pak for Data 5.0.0

CVEID:   CVE-2024-3568
DESCRIPTION:   Hugging Face Transformers could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in the load_repo_checkpoint() function under the TFPreTrainedModel() class. By persuading a victim to load specially crafted payload during a normal training process, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CWE:   CWE-502: Deserialization of Untrusted Data
CVSS Source:   IBM X-Force
CVSS Base score:   3.4
CVSS Vector:   (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:L)

CVEID:   CVE-2024-25026
DESCRIPTION:   IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.4 are vulnerable to a denial of service, caused by sending a specially crafted request. A remote attacker could exploit this vulnerability to cause the server to consume memory resources. IBM X-Force ID: 281516.
CWE:   CWE-770: Allocation of Resources Without Limits or Throttling
CVSS Source:   IBM X-Force
CVSS Base score:   5.9
CVSS Vector:   (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2018-20225
DESCRIPTION:   Pip could allow a local attacker to execute arbitrary code on the system, caused by a flaw in the --extra-index-url option. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. Note: This vulnerability is being disputed as the vulnerability being reported is the intended functionality and the user is responsible for using --extra-index-url securely.
CWE:   CWE-20: Improper Input Validation
CVSS Source:   IBM X-Force
CVSS Base score:   7.8
CVSS Vector:   (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

CVEID:   CVE-2024-28102
DESCRIPTION:   JWCrypto is vulnerable to a denial of service, caused by improper input validation. By sending a specially crafted JWE Token with a high compression ratio, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CWE:   CWE-770: Allocation of Resources Without Limits or Throttling
CVSS Source:   CVE.org
CVSS Base score:   6.8
CVSS Vector:   (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H)

CVEID:   CVE-2024-34069
DESCRIPTION:   Pallets Werkzeug could allow a remote attacker to execute arbitrary code on the system, caused by improper usage of a pathname and improper CSRF protection in the debugger. By persuading a victim to interact with a domain and subdomain they control, enter the debugger PIN and guess a URL in the developer's application that will trigger the debugger, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CWE:   CWE-352: Cross-Site Request Forgery (CSRF)
CVSS Source:   IBM X-Force
CVSS Base score:   7.5
CVSS Vector:   (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)

CVEID:   CVE-2024-27318
DESCRIPTION:   Versions of the package onnx before and including 1.15.0 are vulnerable to Directory Traversal as the external_data field of the tensor proto can have a path to the file which is outside the model current directory or user-provided directory. The vulnerability occurs as a bypass for the patch added for CVE-2022-25882.
CWE:   CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSS Source:   NVD
CVSS Base score:   7.5
CVSS Vector:   (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:   CVE-2023-25193
DESCRIPTION:   Harfbuzz is vulnerable to a denial of service, caused by an error in hb-ot-layout-gsubgpos.hh. By using consecutive marks during the process of looking back for base glyphs when attaching marks, a remote attacker could exploit this vulnerability to trigger O(n^2) growth and cause a denial of service.
CWE:   CWE-770: Allocation of Resources Without Limits or Throttling
CVSS Source:   IBM X-Force
CVSS Base score:   7.5
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)