Vulnerability Details
Basic Information
| Title | Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in DOMPurify |
|---|---|
| Type | ibm |
| Published | 2025-05-02T07:45:20 |
| Last Seen | 2025-05-02T10:56:38 |
| CVSS Score | 7.3 (HIGH) |
CVSS v3 Details
| Attack Vector | NETWORK |
|---|---|
| Attack Complexity | LOW |
| Privileges Required | NONE |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | LOW |
| Integrity Impact | LOW |
| Availability Impact | LOW |
CVE Information
| CVE IDs | CVE-2024-45801 |
|---|---|
| CWE | |
| Bulletin Family | software |
Description
IBM watsonx Orchestrate Cartridge contains a vulnerable version of DOMPurify
## Vulnerability Details
**CVEID:**CVE-2024-45801
**DESCRIPTION:** DOMPurify could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw in depth check. By adding or modifying properties of Object.prototype using a __proto__ or constructor payload, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.
**CWE:**CWE-1333: Inefficient Regular Expression Complexity
**CVSS Source:** CVE.org
**CVSS Base score:** 7.3
**CVSS Vector:**(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
## Affected Products and Versions
Affected Product(s)| Version(s)
—|—
IBM watsonx Orchestrate with watsonx Assistant Cartridge| 4.8.4-4.8.5
IBM watsonx Orchestrate with watsonx Assistant Cartridge| 5.0.0-5.1.1
## Remediation/Fixes
Upgrade to IBM watsonx Orchestrate Cartridge 5.1.2
https://www.ibm.com/docs/en/watsonx/watson-orchestrate/current?topic=installing-watsonx-orchestrate-premises
## Workarounds and Mitigations
None
##
Impact Assessment
| Base Score | 7.3 |
|---|---|
| Severity | HIGH |