Security Bulletin: Vulnerability in gunicorn affects IBM Cloud Pak for Data System 1.0(CPDS 1.0)[CVE-2024-1135].

Summary The gunicorn package is used by IBM Cloud Pak for Data System 1.0. IBM Cloud Pak for Data System 1.0 has addressed the applicable CVE CVE-2024-1135. Vulnerability Details CVEID:CVE-2024-1135 DESCRIPTION: Gunicorn is vulnerable to HTTP request smuggling, caused by improper parsing of the...

Security Bulletin: Vulnerability in jinja2 affects IBM Cloud Pak for Data System 1.0(CPDS 1.0)[CVE-2024-56201, CVE-2024-56326].

Summary The jinja2 package is used by IBM Cloud Pak for Data System 1.0. IBM Cloud Pak for Data System 1.0 has addressed the applicable CVE CVE-2024-56201, CVE-2024-56326. Vulnerability Details CVEID:CVE-2024-56201 DESCRIPTION: Jinja is an extensible templating engine. In versions on the 3.x bran...

Security Bulletin: Vulnerability in gunicorn affects IBM Cloud Pak for Data System 1.0(CPDS 1.0)[CVE-2024-6827].

Summary The gunicorn package is used by IBM Cloud Pak for Data System 1.0. IBM Cloud Pak for Data System 1.0 has addressed the applicable CVE CVE-2024-6827. Vulnerability Details CVEID:CVE-2024-6827 DESCRIPTION: Gunicorn version 21.2.0 does not properly validate the value of the 'Transfer-Encodin...

Security Bulletin: security vulnerabilities are addressed with IBM Business Automation Insights iFixes for April 2025.

Summary Security vulnerabilities are addressed with IBM Business Automation Insights 24.0.1-IF002 and IBM Business Automation Insights 24.0.0-IF003 Vulnerability Details CVEID:CVE-2025-1634 DESCRIPTION: A flaw was found in the quarkus-resteasy extension, which causes memory leaks when client...

Security Bulletin: Multiple vulnerabilities affect IBM® SDK, Java™ Technology Edition for Content Collector for Email, Content Collector for File Systems and Content Collector for Microsoft SharePoint

Summary IBM Java:Two OpenJ9 internal ASCII to EBCDIC string wrapper vulnurabilities on z/OS Vulnerability Details CVEID:CVE-2025-1470 DESCRIPTION: In Eclipse OMR, from the initial contribution to version 0.4.0, some OMR internal port library and utilities consumers of z/OS atoe functions do not...

Security Bulletin: FreeType versions 2.13.0 and below may lead to remote code execution for IBM Storage Virtualize vSphere Remote Plug-in (CVE-2025-27363)

Summary IBM Storage Virtualize vSphere Remote Plug-in virtual appliance runs an NGINX container built on a Debian-based image that uses a vulnerable version of the FreeType library 2.13.0 or earlier. This version is affected by CVE-2025-27363, a critical vulnerability that may allow remote code...

Security Bulletin: IBM Maximo Application Suite - Monitor Component is vulnerable to spring-context-6.1.11.jar CVE-2024-38820

Summary IBM Maximo Application Suite - Monitor Component is vulnerable to spring-context-6.1.11.jar CVE-2024-38820. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2024-38820 DESCRIPTION: VMware Tanzu Spring Framework could provide weaker...

Security Bulletin: IBM Maximo Application Suite - Monitor Component is vulnerable to a possible denial-of- service for Python-idna CVE-2024-3651

Summary IBM Maximo Application Suite - Monitor Component is vulnerable to a possible denial-of- service for Python-idna CVE-2024-3651. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2024-3651 DESCRIPTION: idna could allow a local user to...

Security Bulletin: Vulnerability in Flask_Cors affects IBM Cloud Pak for Data System 1.0(CPDS 1.0)[CVE-2024-1681].

Summary The FlaskCors package is used by IBM Cloud Pak for Data System 1.0. IBM Cloud Pak for Data System 1.0 has addressed the applicable CVE CVE-2024-1681. Vulnerability Details CVEID:CVE-2024-1681 DESCRIPTION: Flask-CORS could allow a remote attacker to bypass security restrictions, caused by ...

Security Bulletin: Vulnerability in Flask-Cors affects IBM Cloud Pak for Data System 1.0(CPDS 1.0)[CVE-2024-6221].

Summary The FlaskCors package is used by IBM Cloud Pak for Data System 1.0. IBM Cloud Pak for Data System 1.0 has addressed the applicable CVE CVE-2024-6221. Vulnerability Details CVEID:CVE-2024-6221 DESCRIPTION: A vulnerability in corydolphin/flask-cors version 4.0.1 allows the...

Security Bulletin: Multiple Vulnerabilities in VMware vCenter affect Cloud Pak System [CVE-2024-37079, CVE-2024-37080, CVE-2024-37081]

Summary Vulnerabilities in Broadcom VMware vCenter affect IBM Cloud Pak System. Vulnerability Details CVEID:CVE-2024-37079 DESCRIPTION: vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may...

Security Bulletin: Multiple Vulnerabilities in IBM Cloud Pak for Network Automation

Summary Multiple vulnerabilities were addressed in IBM Cloud Pak for Network Automation 2.7.8 Vulnerability Details CVEID:CVE-2024-24790 DESCRIPTION: An unspecified error related to various Is methods IsPrivate, IsLoopback, etc did not work as expected for IPv4-mapped IPv6 addresses in the...

Security Bulletin: Vulnerability in urllib3 affects IBM Cloud Pak for Data System 1.0(CPDS 1.0)[CVE-2024-37891].

Summary The urllib3 package is used by IBM Cloud Pak for Data System 1.0. IBM Cloud Pak for Data System 1.0 has addressed the applicable CVE CVE-2024-37891. Vulnerability Details CVEID:CVE-2024-37891 DESCRIPTION: urllib3 could allow a remote authenticated attacker to obtain sensitive information,...

Security Bulletin: Vulnerability in commons-compress affects IBM Cloud Pak for Data System 1.0(CPDS 1.0)[CVE-2024-25710, CVE-2024-26308].

Summary The commons-compress package is used by IBM Cloud Pak for Data System 1.0. IBM Cloud Pak for Data System 1.0 has addressed the applicable CVE CVE-2024-25710, CVE-2024-26308. Vulnerability Details CVEID:CVE-2024-25710 DESCRIPTION: Loop with Unreachable Exit Condition 'Infinite Loop'...

Security Bulletin: Vulnerability in urllib3 affects IBM Cloud Pak for Data System 1.0(CPDS 1.0)[CVE-2023-43804, CVE-2023-45803].

Summary The urllib3 package is used by IBM Cloud Pak for Data System 1.0. IBM Cloud Pak for Data System 1.0 has addressed the applicable CVE CVE-2023-43804, CVE-2023-45803. Vulnerability Details CVEID:CVE-2023-43804 DESCRIPTION: urllib3 is a user-friendly HTTP client library for Python. urllib3...

Security Bulletin: Vulnerability in Werkzeug affects IBM Cloud Pak for Data System 1.0(CPDS 1.0)[CVE-2023-46136].

Summary The Werkzeug package is used by IBM Cloud Pak for Data System 1.0. IBM Cloud Pak for Data System 1.0 has addressed the applicable CVE CVE-2023-46136. Vulnerability Details CVEID:CVE-2023-46136 DESCRIPTION: Pallets Werkzeug is vulnerable to a denial of service, caused by a flaw when parsin...

Security Bulletin: Vulnerability in urllib3 affects IBM Cloud Pak for Data System 1.0(CPDS 1.0)[CVE-2023-43804].

Summary The urllib3 package is used by IBM Cloud Pak for Data System 1.0. IBM Cloud Pak for Data System 1.0 has addressed the applicable CVE CVE-2023-43804. Vulnerability Details CVEID:CVE-2023-43804 DESCRIPTION: urllib3 could allow a remote authenticated attacker to obtain sensitive information,...

Security Bulletin: Vulnerability in Flask-Cors affects IBM Cloud Pak for Data System 1.0(CPDS 1.0)[CVE-2020-25032]

Summary The Flask-Cors package is used by IBM Cloud Pak for Data System 1.0. IBM Cloud Pak for Data System 1.0 has addressed the applicable CVE CVE-2020-25032. Vulnerability Details CVEID:CVE-2020-25032 DESCRIPTION: Flask-CORS could allow a remote attacker to traverse directories on the system. A...

Security Bulletin: Vulnerability in requests affects IBM Cloud Pak for Data System 1.0(CPDS 1.0)[CVE-2023-32681]

Summary The requests package is used by IBM Cloud Pak for Data System 1.0. IBM Cloud Pak for Data System 1.0 has addressed the applicable CVE CVE-2023-32681. Vulnerability Details CVEID:CVE-2023-32681 DESCRIPTION: Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking...

Security Bulletin: Vulnerability in urllib3 affects IBM Cloud Pak for Data System 1.0(CPDS 1.0)[CVE-2020-26137, CVE-2020-7212, CVE-2021-33503]

Summary The urllib3 package is used by IBM Cloud Pak for Data System 1.0. IBM Cloud Pak for Data System 1.0 has addressed the applicable CVE CVE-2020-26137, CVE-2020-7212, CVE-2021-33503. Vulnerability Details CVEID:CVE-2020-26137 DESCRIPTION: urllib3 is vulnerable to CRLF injection. By inserting...

Security Bulletin: XML External Entity (XXE) injection vulnerability affects IBM Business Automation Workflow - CVE-2023-4218

Summary IBM Business Automation Workflow containers package a vulnerable copy of eclipse jars. Vulnerability Details CVEID:CVE-2023-4218 DESCRIPTION: Eclipse IDE could allow a local authenticated attacker to obtain sensitive information, caused by improper handling of XML external entity XXE...

Security Bulletin: Security vulnerabilities addressed with IBM Business Automation Workflow container updates in April 2025

Summary Multiple security vulnerabilities are addressed with IBM Business Automation Workflow containers updates in April 2025. Vulnerability Details CVEID:CVE-2023-50314 DESCRIPTION: IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.8 could allow an attacker with access to the...

Security Bulletin: A remote code execution vulnerability affect IBM Business Automation Workflow - CVE-2025-27363

Summary IBM Business Automation Workflow containers package a vulnerable version of freetype. Vulnerability Details CVEID:CVE-2025-27363 DESCRIPTION: An out of bounds write exists in FreeType versions 2.13.0 and below newer versions of FreeType are not vulnerable when attempting to parse font...

Security Bulletin: Information leakage vulnerability affect IBM Business Automation Workflow - CVE-2025-1495

Summary IBM Business Automation Workflow is vulnerable to an information leakage attack. Vulnerability Details CVEID:CVE-2025-1495 DESCRIPTION: IBM Business Automation Workflow Center may leak sensitive information due to missing authorization validation. CWE:CWE-306: Missing Authentication for...

Security Bulletin: Denial of Service vulnerability affect IBM Business Automation Workflow - CVE-2025-1838

Summary IBM Business Automation Workflow Center is vulnerable to a denial of service attack. Vulnerability Details CVEID:CVE-2025-1838 DESCRIPTION: IBM Business Automation Workflow Authoring allows an authenticated user to bypass client-side data validation in an authoring user interface which...

Security Bulletin: Security vulnerability in Apache Kafka clients affects IBM Business Automation Workflow Case Event Emitters - CVE-2024-31141

Summary IBM Business Automation Workflow Case Event Emitters package a vulnerable version of Apache Kafka clients. Vulnerability Details CVEID:CVE-2024-31141 DESCRIPTION: Files or Directories Accessible to External Parties, Improper Privilege Management vulnerability in Apache Kafka Clients. Apac...

Security Bulletin: Vulnerability in eclipse affects IBM Business Automation Workflow - CVE-2023-4218

Summary IBM Business Automation Workflow packages a vulnerable version of eclipe jar files. Vulnerability Details CVEID:CVE-2023-4218 DESCRIPTION: Eclipse IDE could allow a local authenticated attacker to obtain sensitive information, caused by improper handling of XML external entity XXE...

Security Bulletin: Additional security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for April 2025.

Summary In addition to vulnerabilities announced in Security Bulletin: Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation 24.0.0-IF005 and 24.0.1-IF002, the following security vulnerabilities are addressed with IBM Cloud Pak for Business Automation...

Security Bulletin: Multiple vulnerabilities affect IBM Business Automation Workflow - CVE-2025-27789, CVE-2024-57965, CVE-2025-27152, CVE-2024-55565

Summary Some IBM Business Automation Workflow user interfaces may be affected by vulnerabilities in JavaScript libraries. Vulnerability Details CVEID:CVE-2025-27789 DESCRIPTION: Babel is a compiler for writing next generation JavaScript. When using versions of Babel prior to 7.26.10 and...

Security Bulletin: IBM Maximo Application Suite - MVI Component component uses freetype which is vulnerable to this CVE-2025-27363

Summary Security Bulletin: IBM Maximo Application Suite - MVI Component component uses freetype which is vulnerable to this CVE-2025-27363 Vulnerability Details CVEID:CVE-2025-27363 DESCRIPTION: An out of bounds write exists in FreeType versions 2.13.0 and below newer versions of FreeType are not...

Security Bulletin: IBM MQ Appliance is affected by a libxml2 use-after-free vulnerability (CVE-2022-49043)

Summary IBM MQ Appliance has addressed a libxml2 use-after-free vulnerability. Vulnerability Details CVEID:CVE-2022-49043 DESCRIPTION: xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11.0 has a use-after-free. CWE:CWE-416: Use After Free CVSS Source: [email protected] CVSS Base score: 8.1 CVSS...

Security Bulletin: IBM MQ is affected by a denial of service vulnerability (CVE-2025-27365)

Summary IBM MQ has addressed a denial of service vulnerability. Vulnerability Details CVEID:CVE-2025-27365 DESCRIPTION: An IBM MQ client connecting to an IBM MQ queue manager can cause a SIGSEGV in the AMQRMPPA channel process terminating it. CWE:CWE-416: Use After Free CVSS Source: IBM CVSS Base...

Security Bulletin: IBM InfoSphere Information Server is affected by a vulnerability in OpenSSL (CVE-2024-9143)

Summary A vulnerability in OpenSSL that is used by IBM InfoSphere Information Server was addressed. Vulnerability Details CVEID:CVE-2024-9143 DESCRIPTION: OpenSSL could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds memory read or write flaw due to the...

Security Bulletin: DataStage on Cloud Pak for Data is vulnerable to an out of bounds write due to the FreeType package (CVE-2025-27363)

Summary FreeType is used by DataStage on Cloud Pak for Data as part of text processing functionality. Vulnerability Details CVEID:CVE-2025-27363 DESCRIPTION: An out of bounds write exists in FreeType versions 2.13.0 and below newer versions of FreeType are not vulnerable when attempting to parse...

Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in DOMPurify

Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of DOMPurify Vulnerability Details CVEID:CVE-2024-47875 DESCRIPTION: DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMpurify was vulnerable to nesting-based mXSS. This vulnerabilit...

Security Bulletin: IBM watsonx Orchestrate with watsonx Assistant Cartridge affected by vulnerability in dompurify

Summary IBM watsonx Orchestrate with watsonx Assistant Cartridge contains a vulnerable version of dompurify Vulnerability Details CVEID:CVE-2024-48910 DESCRIPTION: DOMPurify could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a prototype pollution. By...

Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in IP

Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of IP Vulnerability Details CVEID:CVE-2024-29415 DESCRIPTION: The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1 are...

Security Bulletin: IBM WebSphere Application Server, which is bundled with IBM Enterprise Application Runtimes, is affected by a server-side request forgery vulnerability (CVE-2025-27907)

Summary IBM WebSphere Application Server, which is bundled with IBM Enterprise Application Runtimes, is affected by a server-side request forgery vulnerability. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions Affected...

Security Bulletin: IBM WebSphere Application Server, which is bundled with IBM Cloud Pak for Applications, is affected by a server-side request forgery vulnerability (CVE-2025-27907)

Summary IBM WebSphere Application Server, which is bundled with IBM Cloud Pak for Applications, is affected by a server-side request forgery vulnerability. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions Affected Product...

Security Bulletin: IBM Planning Analytics Cartridge has addressed a security vulnerability in Golang Go (CVE-2024-24790)

Summary IBM Planning Analytics Cartridge is considered affected by a vulnerability in Golang Go. For more information about the vulnerability impact, refer to the table in the "Related Information" section. This Security Bulletin relates only to the direct usage of third-party components by IBM...

Security Bulletin: IBM WebSphere Application Server, which is bundled with IBM WebSphere Hybrid Edition, is affected by a server-side request forgery vulnerability (CVE-2025-27907)

Summary IBM WebSphere Application Server, which is bundled with IBM WebSphere Hybrid Edition, is affected by a server-side request forgery vulnerability. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions Affected Products...

Security Bulletin: IBM MQ Appliance is affected by a libxml2 use-after-free vulnerability (CVE-2022-49043)

Summary IBM MQ Appliance has addressed a libxml2 use-after-free vulnerability. Vulnerability Details CVEID:CVE-2022-49043 DESCRIPTION: xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11.0 has a use-after-free vulnerability. CWE:CWE-416: Use After Free CVSS Source: [email protected] CVSS Base...

Security Bulletin: IBM MQ Appliance is affected by a denial of service vulnerability (CVE-2025-27365)

Summary IBM MQ Appliance has resolved a denial of service vulnerability. Vulnerability Details CVEID:CVE-2025-27365 DESCRIPTION: An IBM MQ client connecting to an IBM MQ queue manager can cause a SIGSEGV in the AMQRMPPA channel process terminating it. CWE:CWE-416: Use After Free CVSS Source: IBM...

Security Bulletin: A vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Buinses Automation Workflow (CVE-2025-27907)

Summary WebSphere Application Server is shipped as a component of IBM Business Automation Workflow. Information about a security vulnerability affecting IBM WebSphere Application Server Traditional have been published in a security bulletin. Vulnerability Details Refer to the security bulletins...

Security Bulletin: Multiple vulnerabilities in Java affect IBM Business Automation Workflow - October 2024 CPU

Summary IBM Business Automation Workflow traditional includes IBM Java 8. Information about security vulnerabilities in these Java runtumes have been published. Vulnerability Details CVEID:CVE-2024-21235 DESCRIPTION: Vulnerability in Java SE component: Hotspot. Difficult to exploit vulnerability...

Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in DOMPurify

Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of DOMPurify Vulnerability Details CVEID:CVE-2024-45801 DESCRIPTION: DOMPurify could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw in depth check. By adding or modifying...

Security Bulletin: Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation 24.0.0-IF005 and 24.0.1-IF002.

Summary In addition to many updates of operating system level packages, the following security vulnerabilities are addressed with IBM Cloud Pak for Business Automation 24.0.0-IF005 and 24.0.1-IF002. Vulnerability Details CVEID:CVE-2025-22866 DESCRIPTION: Due to the usage of a variable time...

Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data v4.8.8 is vulnerable to multiple Base OS issues

Summary IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data v4.8.8 is vulnerable to multiple Base OS issues. We have updated the base image used by our Speech Services and the following vulnerabilities have been addressed. Please read the details for remediation below. Vulnerability...

Security Bulletin: IBM Watson Speech Services Cartridge v4.8.8 is vulnerable to multiple Operator package issues

Summary IBM Watson Speech Services Cartridge v4.8.8 is vulnerable to multiple Operator package issues. We have performed updates to the Operators used by our Speech Services. The following vulnerabilities have been addressed in this update. Please read the details for remediation below...

Security Bulletin: IBM Watson Speech Services Cartridge v5.1.2 is vulnerable to a Base OS issue in LibYAML (CVE-2024-35325)

Summary IBM Watson Speech Services Cartridge v5.1.2 is vulnerable to a Base OS issue in LibYAML , caused by a double-free in the function yamleventdelete of the file /src/libyaml/src/api.c CVE-2024-35325. We have updated the base image used by our Speech Services and the following vulnerability h...