Lucene search

IBMACDBABA4BEBC098DA37120100F01E67DFD9D6040A03A389FA5C51B8B867A3D91

HistoryDec 14, 2020 - 2:44 a.m.

Security Bulletin: A vulnerability have been identified in jwt-go shipped with IBM Netcool Operations Insight Event Integrations Operator (CVE-2020-26160)

2020-12-1402:44:14

www.ibm.com

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

JSON

Summary

jwt-go is a dependency shipped with IBM Netcool Operations Insight Event Integrations Operator. Information about the security vulnerability affecting jwt-go has been published. (CVE-2020-26160)

Vulnerability Details

CVEID:CVE-2020-26160
**DESCRIPTION:**jwt-go could allow a remote attacker to bypass security restrictions, caused by a type assertion failure when m[“aud”] happens to be []string{}. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass access restrictions.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/189408 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Netcool Operations Insight Event Integrations Operator	1.0.0 up to 1.1.0

Remediation/Fixes

Product(s)	Version(s)
IBM Netcool Operations Insight Event Integrations Operator	1.2.0
You can download this package from the IBM Passport Advantage website:

www.ibm.com/software/howtobuy/passportadvantage/pao_customers.htm

To obtain this new package, use the Find by part number field to search for part number:CC8YGML

Workarounds and Mitigations

None

CPENameOperatorVersion
netcool operations insighteq1.6.

CPE	Name	Operator	Version
	netcool operations insight	eq	1.6.

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

JSON

Related for ACDBABA4BEBC098DA37120100F01E67DFD9D6040A03A389FA5C51B8B867A3D91