35608 matches found
Security Bulletin: IBM Analytics Content Hub is affected by security vulnerabilities
Summary There are vulnerabilities in multiple Open Source Software OSS components consumed by IBM Analytics Content Hub. Additionally, IBM Analytics Content Hub is vulnerable to Unrestricted File Upload, Information Disclosure, Java Source Map and Verbose Messaging vulnerabilities. This Security...
Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use mapping assistance are vulnerable to denial of service and improper input validation [CVE-2025-3262] [CVE-2025-3263] [CVE-2025-3264] [CVE-2025-3777]
Summary Python module transformers is used by IBM App Connect Enterprise Certified Container by the mapping assistance capability. IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use mapping assistance are vulnerable to denial of service and improper input validatio...
Security Bulletin: IBM Financial Transaction Manager is impacted by multiple vulnerabilities in RedHat Proxy for Kubernetes RBAC authorization
Summary IBM Financial Transaction Manager for RedHat OpenShift has addressed the following vulnerabilities. Vulnerability Details CVEID:CVE-2025-22868 DESCRIPTION: An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing. CWE:CWE-1286: Improper...
Security Bulletin: Multiple vulnerabilities within WebSphere Application and IBM HTTP Server, affect IBM Tivoli Monitoring.
Summary Multiple vulnerabilities within WebSphere Application and IBM HTTP Server which is included as part of IBM Tivoli Monitoring ITM portal server have been remediated. Vulnerability Details CVEID:CVE-2025-33104 DESCRIPTION: IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to...
Security Bulletin: Prism (aka PrismJS) through 1.29.0 allows DOM Clobbering which affects IBM watsonx.data
Summary Prism aka PrismJS through 1.29.0 allows DOM Clobbering with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript, because document.currentScript lookup can be shadowed by attacker-injected HTML elements. These can affect watsonx.data. Vulnerability...
Security Bulletin: Oracle Outside In Technology (OIT) security vulnerabilities in FileNet Content Manager (FNCM) Content Based Retrieval (CBR) content indexing
Summary Oracle Outside In Technology OIT CVE-2024-45492, CVE-2024-25269, CVE-2024-36052, CVE-2023-39743 security vulnerabilities in FileNet Content Manager FNCM Content Based Retrieval CBR content indexing. Vulnerability Details CVEID:CVE-2024-45492 DESCRIPTION: libexpat could allow a local...
Security Bulletin: Apache Axis1 CVE-2023-51441 security vulnerability in FileNet Content Manager, Process Engine Process Orchestration
Summary Apache Axis1 CVE-2023-51441 security vulnerability in FileNet Content Manager, Process Engine Process Orchestration. Affected, not vulnerable Vulnerability Details CVEID:CVE-2023-51441 DESCRIPTION: Apache Axis is vulnerable to server-side request forgery, caused by a improper input...
Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in commons-io-2.8.0.jar
Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of commons-io-2.8.0.jar Vulnerability Details CVEID:CVE-2024-47554 DESCRIPTION: Uncontrolled Resource Consumption vulnerability in Apache Commons IO. The org.apache.commons.io.input.XmlStreamReader class may excessively consu...
Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Security Guardium Key Lifecycle Manager (SKLM/GKLM)
Summary WebSphere Application Server is shipped as a component of IBM Security Guardium Key Lifecycle Manager SKLM/GKLM. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin. Vulnerability Details Refer to the security bulleti...
Security Bulletin: IBM Maximo Application Suite Ai-Service Component uses an application is vulnerable to a reflected file download (RFD) attack.
Summary Security Bulletin: IBM Maximo Application Suite Ai-Service Component uses an application is vulnerable to a reflected file download RFD attack.The filename is derived from user-supplied input but sanitized by the application. Vulnerability Details CVEID:CVE-2025-41234 DESCRIPTION:...
Security Bulletin: IBM Maximo Application Suite Ai-Service Component uses uthentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat.
Summary Security Bulletin: IBM Maximo Application Suite Ai-Service Component uses uthentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat.When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those...
Security Bulletin: IBM OpenPages fixes multiple vulnerabilities
Summary Multiple vulnerabilities with IBM OpenPages have been addressed in the latest IBM OpenPages fixpack for 9.0 Vulnerability Details CVEID:CVE-2022-24891 DESCRIPTION: ESAPI is vulnerable to cross-site scripting, caused by incorrect regular expression for onsiteURL in the antisamy-esapi.xml...
Security Bulletin: IBM Sterling External Authentication Server is vuulnerable due to path-to-regexp (CVE-2024-45296).
Summary IBM Sterling External Authentication Server uses the npm path-to-regexp, which is vulnerable to CVE-2024-45296. Vulnerability Details CVEID:CVE-2024-45296 DESCRIPTION: path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular...
Security Bulletin: IBM Sterling External Authentication Server is vulnerable to Apache Commons IO.
Summary Security Bulletin:IBM Sterling External Authentication Server is vulnerable to Apache Commons IO. Vulnerability Details CVEID:CVE-2024-47554 DESCRIPTION: Uncontrolled Resource Consumption vulnerability in Apache Commons IO. The org.apache.commons.io.input.XmlStreamReader class may...
Security Bulletin: Security vulnerabilities have been addressed in IBM Verify Identity Access OIDC Provider (CVE-2024-45337, CVE-2025-22869)
Summary Multiple security vulnerabilities have been addressed in IBM Verify Identity Access OIDC Provider. Vulnerability Details CVEID:CVE-2024-45337 DESCRIPTION: Applications and libraries which misuse connection.serverAuthenticate via callback field ServerConfig.PublicKeyCallback may be...
Security Bulletin: IBM InfoSphere Data Replication VSAM for z/OS Remote Source is vulnerable to a denial of service by sending an invalid HTTP request to the log reading service due to CVE-2024-56468.
Summary An invalid HTTP request to the log reading service could lead to a denial of service for IBM InfoSphere Data Replication VSAM for z/OS Remote Source. Vulnerability Details CVEID:CVE-2024-56468 DESCRIPTION: IBM InfoSphere Data Replication VSAM for z/OS Remote Source could allow a remote us...
Security Bulletin: A denial-of-service attack, heap use after free, network server exploit, and other vulnerabilities might affect IBM Storage Defender - Resiliency Service
Summary IBM Storage Defender - Resiliency Service is vulnerable to denial-of-service attack, heap use after free, network server exploit, and others. The vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2025-32873 DESCRIPTION: An issue was discovered in Django 4.2 before 4.2.2...
Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in oniguruma 6.9.6-1.el9.6
Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of oniguruma 6.9.6-1.el9.6 Vulnerability Details CVEID:CVE-2019-16163 DESCRIPTION: Oniguruma before 6.9.3 allows Stack Exhaustion in regcomp.c because of recursion in regparse.c. CWE:CWE-674: Uncontrolled Recursion CVSS Sourc...
Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in postgresql 13.16-1.el9_4
Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of postgresql 13.16-1.el94 Vulnerability Details CVEID:CVE-2023-39418 DESCRIPTION: A vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined...
Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in zlib 1.2.7
Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of zlib 1.2.7 Vulnerability Details CVEID:CVE-2016-9842 DESCRIPTION: The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving left shifts of...
Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in transformers 4.36.2
Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of transformers 4.36.2 Vulnerability Details CVEID:CVE-2024-3568 DESCRIPTION: The huggingface/transformers library is vulnerable to arbitrary code execution through deserialization of untrusted data within the...
Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in apr 1.7.0-12.el9_3
Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of apr 1.7.0-12.el93 Vulnerability Details CVEID:CVE-2022-28331 DESCRIPTION: On Windows, Apache Portable Runtime 1.7.0 and earlier may write beyond the end of a stack based buffer in aprsocketsendv. This is a result of intege...
Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in github.com/golang-jwt/jwt/v4 v4.4.2
Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of github.com/golang-jwt/jwt/v4 v4.4.2 Vulnerability Details CVEID:CVE-2024-51744 DESCRIPTION: golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in ParseWithClaims can lead to...
Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in cross-spawn-4.0.2.tgz
Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of cross-spawn-4.0.2.tgz Vulnerability Details CVEID:CVE-2024-21538 DESCRIPTION: Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service ReDoS due t...
Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in axios-1.6.1.tgz
Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of axios-1.6.1.tgz Vulnerability Details IBM X-Force ID: 386108 DESCRIPTION: axios is vulnerable to a denial of service, caused by a regular expression denial of service ReDoS flaw in the format method. By sending a specially...
Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in spring-webflux-5.3.27.jar
Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of spring-webflux-5.3.27.jar Vulnerability Details CVEID:CVE-2024-38819 DESCRIPTION: Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks...
Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in spring-security-web-5.8.5.jar
Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of spring-security-web-5.8.5.jar Vulnerability Details CVEID:CVE-2024-38821 DESCRIPTION: Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstance...
Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in spring-context-5.3.24.jar
Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of spring-context-5.3.24.jar Vulnerability Details CVEID:CVE-2024-38820 DESCRIPTION: The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase has some Locale...
Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in elliptic-6.5.4.tgz
Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of elliptic-6.5.4.tgz Vulnerability Details CVEID:CVE-2024-48948 DESCRIPTION: The Elliptic package 6.5.7 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least...
Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in jsonpath-plus-0.19.0.tgz
Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of jsonpath-plus-0.19.0.tgz Vulnerability Details CVEID:CVE-2024-21534 DESCRIPTION: All versions of the package jsonpath-plus are vulnerable to Remote Code Execution RCE due to improper input sanitization. An attacker can...
Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in spring-webflux-5.3.27.jar
Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of spring-webflux-5.3.27.jar Vulnerability Details CVEID:CVE-2024-38816 DESCRIPTION: Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks...
Security Bulletin: Vulnerabilities in IBM Java included with IBM Tivoli Composite Application Manager for Applications WebSphere MQ Monitoring Agent
Summary Vulnerabilities in IBM SDK Java Technology Edition that is shipped as part of agent framework in ITCAM for Applications WebSphere MQ Monitoring Agent. CVEs: CVE-2023-21830, CVE-2023-33850, CVE-2025-4447. Vulnerability Details CVEID:CVE-2023-21830 DESCRIPTION: An unspecified vulnerability ...
Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in spring-web-5.3.26.jar
Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of spring-web-5.3.26.jar Vulnerability Details CVEID:CVE-2016-1000027 DESCRIPTION: Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution RCE issue if used for Java deserialization of untrusted...
Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in postgresql-42.5.1.jar
Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of postgresql-42.5.1.jar Vulnerability Details CVEID:CVE-2024-1597 DESCRIPTION: pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default...
Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in spring-web-5.3.26.jar
Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of spring-web-5.3.26.jar Vulnerability Details CVEID:CVE-2016-1000027 DESCRIPTION: Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution RCE issue if used for Java deserialization of untrusted...
Security Bulletin: IBM Sterling B2B Integrator and IBM Sterling File Gateway are Vulnerable to Stored Cross-Site Scripting (CVE-2025-3630)
Summary IBM Sterling B2B Integrator and IBM Sterling File Gateway have addressed the stored cross-site scripting vulnerability Vulnerability Details CVEID:CVE-2025-3630 DESCRIPTION: IBM InfoSphere Information Server is vulnerable to stored cross-site scripting. This vulnerability allows...
Security Bulletin: IBM Sterling File Gateway is Vulnerable to Information Disclosure (CVE-2025-2827)
Summary IBM Sterling File Gateway has addressed the information disclosure vulnerability Vulnerability Details CVEID:CVE-2025-2827 DESCRIPTION: IBM Sterling File Gateway could disclose sensitive installation directory information to an authenticated user that could be used in further attacks...
Security Bulletin: The Dashboard UI of IBM Sterling B2B Integrator and IBM Sterling File Gateway is Vulnerable to Cross-Site Scripting (CVE-2025-2793)
Summary IBM Sterling B2B Integrator and IBM Sterling File Gateway have addressed the Cross-Site Scripting vulnerability Vulnerability Details CVEID:CVE-2025-2793 DESCRIPTION: IBM Sterling B2B Integrator Standard Edition is vulnerable to cross-site scripting. This vulnerability allows an...
Security Bulletin: Security Vulnerability in Authorization Rules in Spring Security Affects IBM Sterling B2B Integrator and IBM Sterling File Gateway (CVE-2024-38827)
Summary IBM Sterling B2B Integrator and IBM Sterling File Gateway have addressed the security vulnerability in Spring Security Vulnerability Details CVEID:CVE-2024-38827 DESCRIPTION: The usage of String.toLowerCase and String.toUpperCase has some Locale dependent exceptions that could potentially...
Security Bulletin: IBM Storage Fusion Data Foundation is vulnerable to uncontrolled recursion in Golang (CVE-2022-30630)
Summary Golang is used by IBM Storage Fusion Data Foundation in mcg and cephcsi. as part of the operator. This bulletin identifies the steps to take to address the vulnerability in IBM Storage Fusion Data Foundation. CVE-2022-30630. Vulnerability Details CVEID:CVE-2022-30630 DESCRIPTION: Golang G...
Security Bulletin: IBM Storage Ceph is vulnerable to Prototype Pollution in Grafana (CVE-2024-48910)
Summary Grafana is used by IBM Storage Ceph as a metrics dashboard. This bulletin identifies the steps to take to address the vulnerability in Grafana. CVE-2024-48910 Vulnerability Details CVEID:CVE-2024-48910 DESCRIPTION: DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML,...
Security Bulletin: IBM Storage Ceph is vulnerable to Integer Overflow in KeepAlived (CVE-2024-41184)
Summary KeepAlived is used by IBM Storage Ceph in Cephadm and other assorted components. CVE-2024-41184 This bulletin identifies the steps to take to address the vulnerability in IBM Storage Ceph. Vulnerability Details CVEID:CVE-2024-41184 DESCRIPTION: In the vrrpipsetshandler handler...
Security Bulletin: IBM Storage Ceph contains vulnerabilities found in Golang (CVE-2024-24785 CVE-2024-24784 CVE-2024-24783 CVE-2024-24788 CVE-2024-24789 CVE-2024-24790 CVE-2024-6104 CVE-2024-24791 CVE-2024-34155 CVE-2024-34156)
Summary Golang is used by IBM Storage Ceph in Grafana and the Dashboard. CVE-2024-24785 CVE-2024-24784 CVE-2024-24783 CVE-2024-24788 CVE-2024-24789 CVE-2024-24790 CVE-2024-6104 CVE-2024-24791 CVE-2024-34155 CVE-2024-34156 This bulletin identifies the steps to take to address the vulnerability in...
Security Bulletin: IBM Storage Ceph is vulnerable to HTTP Request/Response Smuggling and Unauthorized Exposure of Information in HAProxy (CVE-2023-40225, CVE-2023-0836, CVE-2023-25725, CVE-2023-45539)
Summary HAProxy is used by IBM Storage Ceph for Load Balancing. This bulletin identifies the steps to take to address the vulnerability in HAProxy. CVE-2023-40225, CVE-2023-0836, CVE-2023-25725, CVE-2023-45539. Vulnerability Details CVEID:CVE-2023-40225 DESCRIPTION: HAProxy through 2.0.32, 2.1.x...
Security Bulletin: IBM Storage Ceph is vulnerable to Insufficient Verification of Data Authenticity in Certifi (CVE-2022-23491)
Summary Certifi is used by IBM Storage Ceph for certificates and authentication . CVE-2022-23491 This bulletin identifies the steps to take to address the vulnerability in IBM Storage Ceph. Vulnerability Details CVEID:CVE-2022-23491 DESCRIPTION: Certifi is a curated collection of Root Certificate...
Security Bulletin: IBM Storage Ceph is vulnerable to Cross-Site Scripting in Grafana (CVE-2024-47875)
Summary Grafana is used by IBM Storage Ceph as a metrics dashboard. This bulletin identifies the steps to take to address the vulnerability in Grafana. CVE-2024-47875 Vulnerability Details CVEID:CVE-2024-47875 DESCRIPTION: DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML,...
Security Bulletin: IBM Storage Ceph is vulnerable to Reachable Assertion in the RHEL UBI (CVE-2024-33601)
Summary RHEL UBI is used by IBM Storage Ceph as the base operating system. This bulletin identifies the steps to take to address the vulnerability in the RHEL UBI. CVE-2024-33601. Vulnerability Details CVEID:CVE-2024-33601 DESCRIPTION: nscd: netgroup cache may terminate daemon on memory allocatio...
Security Bulletin: IBM Storage Ceph is vulnerable to Code Injection in Grafana (CVE-2024-53382)
Summary Grafana is used by IBM Storage Ceph as a metrics dashboard. This bulletin identifies the steps to take to address the vulnerability in Grafana. CVE-2024-53382 Vulnerability Details CVEID:CVE-2024-53382 DESCRIPTION: Prism aka PrismJS through 1.29.0 allows DOM Clobbering with resultant XSS...
Security Bulletin: Maximo AI Service Component: Spring Security Aspects may not correctly locate method security annotations on private methods.
Summary Security Bulletin: Maximo AI Service Component Component uses Spring Security Aspects may not correctly locate method security annotations on private methods.This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2025-22233...
Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in serve-static-1.15.0.tgz
Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of serve-static-1.15.0.tgz Vulnerability Details CVEID:CVE-2024-43800 DESCRIPTION: serve-static serves static files. serve-static passes untrusted user input - even after sanitizing it - to redirect may execute untrusted code...