Home » Database

AVID-2026-R1132

Description

IBM Watson Knowledge Catalog on Cloud Pak SQL injection (CVE-2022-41731)

Details

IBM Watson Knowledge Catalog on Cloud Pak for Data 4.5.0 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 237402.

Reason for inclusion in AVID: CVE-2022-41731 describes a network-accessible SQL injection in IBM Watson Knowledge Catalog on Cloud Pak for Data, a product used in AI data pipelines and governance. The vulnerability enables remote attackers to view, add, modify, or delete data, impacting confidentiality and potentially integrity. This is a software component used within AI systems/tools and is part of the AI supply chain (data catalog/management). The CVE provides explicit evidence of a security vulnerability with clear impact signals, supporting classification as an AI-relevant, supply-chain software vulnerability.

References

Affected or Relevant Artifacts

  • Developer: IBM
  • Deployer: IBM
  • Artifact Details:
TypeName
SystemWatson Knowledge Catalog on-prem

Impact

AVID Taxonomy Categorization

  • Risk domains: Security
  • SEP subcategories: S0100: Software Vulnerability
  • Lifecycle stages: L06: Deployment

CVSS

Version3.1
Vector StringCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Base Score8.6
Base Severity🔴 High
Attack VectorNETWORK
Attack Complexity🟢 Low
Privileges RequiredNONE
User InteractionNONE
ScopeUNCHANGED
Confidentiality Impact🔴 High
Integrity Impact🟢 Low
Availability Impact🟢 Low

CWE

IDDescription
CWE-89CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)

Other information

  • Report Type: Advisory
  • Credits:
  • Date Reported: 2023-02-06
  • Version: 0.3.3
  • AVID Entry