Security Bulletin: IBM MQ is affected by a denial of service vulnerability (CVE-2025-27365)

Summary IBM MQ has addressed a denial of service vulnerability. Vulnerability Details CVEID:CVE-2025-27365 DESCRIPTION: An IBM MQ client connecting to an IBM MQ queue manager can cause a SIGSEGV in the AMQRMPPA channel process terminating it. CWE:CWE-416: Use After Free CVSS Source: IBM CVSS Base...

Security Bulletin: IBM InfoSphere Information Server is affected by a vulnerability in OpenSSL (CVE-2024-9143)

Summary A vulnerability in OpenSSL that is used by IBM InfoSphere Information Server was addressed. Vulnerability Details CVEID:CVE-2024-9143 DESCRIPTION: OpenSSL could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds memory read or write flaw due to the...

Security Bulletin: DataStage on Cloud Pak for Data is vulnerable to an out of bounds write due to the FreeType package (CVE-2025-27363)

Summary FreeType is used by DataStage on Cloud Pak for Data as part of text processing functionality. Vulnerability Details CVEID:CVE-2025-27363 DESCRIPTION: An out of bounds write exists in FreeType versions 2.13.0 and below newer versions of FreeType are not vulnerable when attempting to parse...

Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in DOMPurify

Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of DOMPurify Vulnerability Details CVEID:CVE-2024-47875 DESCRIPTION: DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMpurify was vulnerable to nesting-based mXSS. This vulnerabilit...

Security Bulletin: IBM watsonx Orchestrate with watsonx Assistant Cartridge affected by vulnerability in dompurify

Summary IBM watsonx Orchestrate with watsonx Assistant Cartridge contains a vulnerable version of dompurify Vulnerability Details CVEID:CVE-2024-48910 DESCRIPTION: DOMPurify could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a prototype pollution. By...

Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in IP

Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of IP Vulnerability Details CVEID:CVE-2024-29415 DESCRIPTION: The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1 are...

Security Bulletin: IBM WebSphere Application Server, which is bundled with IBM Enterprise Application Runtimes, is affected by a server-side request forgery vulnerability (CVE-2025-27907)

Summary IBM WebSphere Application Server, which is bundled with IBM Enterprise Application Runtimes, is affected by a server-side request forgery vulnerability. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions Affected...

Security Bulletin: IBM WebSphere Application Server, which is bundled with IBM Cloud Pak for Applications, is affected by a server-side request forgery vulnerability (CVE-2025-27907)

Summary IBM WebSphere Application Server, which is bundled with IBM Cloud Pak for Applications, is affected by a server-side request forgery vulnerability. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions Affected Product...

Security Bulletin: IBM Planning Analytics Cartridge has addressed a security vulnerability in Golang Go (CVE-2024-24790)

Summary IBM Planning Analytics Cartridge is considered affected by a vulnerability in Golang Go. For more information about the vulnerability impact, refer to the table in the "Related Information" section. This Security Bulletin relates only to the direct usage of third-party components by IBM...

Security Bulletin: IBM WebSphere Application Server, which is bundled with IBM WebSphere Hybrid Edition, is affected by a server-side request forgery vulnerability (CVE-2025-27907)

Summary IBM WebSphere Application Server, which is bundled with IBM WebSphere Hybrid Edition, is affected by a server-side request forgery vulnerability. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions Affected Products...

Security Bulletin: IBM MQ Appliance is affected by a libxml2 use-after-free vulnerability (CVE-2022-49043)

Summary IBM MQ Appliance has addressed a libxml2 use-after-free vulnerability. Vulnerability Details CVEID:CVE-2022-49043 DESCRIPTION: xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11.0 has a use-after-free vulnerability. CWE:CWE-416: Use After Free CVSS Source: [email protected] CVSS Base...

Security Bulletin: IBM MQ Appliance is affected by a denial of service vulnerability (CVE-2025-27365)

Summary IBM MQ Appliance has resolved a denial of service vulnerability. Vulnerability Details CVEID:CVE-2025-27365 DESCRIPTION: An IBM MQ client connecting to an IBM MQ queue manager can cause a SIGSEGV in the AMQRMPPA channel process terminating it. CWE:CWE-416: Use After Free CVSS Source: IBM...

Security Bulletin: A vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Buinses Automation Workflow (CVE-2025-27907)

Summary WebSphere Application Server is shipped as a component of IBM Business Automation Workflow. Information about a security vulnerability affecting IBM WebSphere Application Server Traditional have been published in a security bulletin. Vulnerability Details Refer to the security bulletins...

Security Bulletin: Multiple vulnerabilities in Java affect IBM Business Automation Workflow - October 2024 CPU

Summary IBM Business Automation Workflow traditional includes IBM Java 8. Information about security vulnerabilities in these Java runtumes have been published. Vulnerability Details CVEID:CVE-2024-21235 DESCRIPTION: Vulnerability in Java SE component: Hotspot. Difficult to exploit vulnerability...

Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in DOMPurify

Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of DOMPurify Vulnerability Details CVEID:CVE-2024-45801 DESCRIPTION: DOMPurify could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw in depth check. By adding or modifying...

Security Bulletin: Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation 24.0.0-IF005 and 24.0.1-IF002.

Summary In addition to many updates of operating system level packages, the following security vulnerabilities are addressed with IBM Cloud Pak for Business Automation 24.0.0-IF005 and 24.0.1-IF002. Vulnerability Details CVEID:CVE-2025-22866 DESCRIPTION: Due to the usage of a variable time...

Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data v4.8.8 is vulnerable to multiple Base OS issues

Summary IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data v4.8.8 is vulnerable to multiple Base OS issues. We have updated the base image used by our Speech Services and the following vulnerabilities have been addressed. Please read the details for remediation below. Vulnerability...

Security Bulletin: IBM Watson Speech Services Cartridge v4.8.8 is vulnerable to multiple Operator package issues

Summary IBM Watson Speech Services Cartridge v4.8.8 is vulnerable to multiple Operator package issues. We have performed updates to the Operators used by our Speech Services. The following vulnerabilities have been addressed in this update. Please read the details for remediation below...

Security Bulletin: IBM Watson Speech Services Cartridge v5.1.2 is vulnerable to a Base OS issue in LibYAML (CVE-2024-35325)

Summary IBM Watson Speech Services Cartridge v5.1.2 is vulnerable to a Base OS issue in LibYAML , caused by a double-free in the function yamleventdelete of the file /src/libyaml/src/api.c CVE-2024-35325. We have updated the base image used by our Speech Services and the following vulnerability h...

Security Bulletin: IBM Watson Speech Services Cartridge v5.1.2 is vulnerable to multiple Operator package issues

Summary IBM Watson Speech Services Cartridge v5.1.2 is vulnerable to multiple Operator package issues.. We have performed updates to the Operators used by our Speech Services. The following vulnerabilities have been addressed in this update. Please read the details for remediation below...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to uninitialized resource use in Linux kernel [CVE-2024-50302]

Summary IBM Watson Speech Services Cartridge is vulnerable to uninitialized resource use in Linux kernel, due to a flaw in the report buffer that could leak kernel memory CVE-2024-50302. Linux kernel is used in our Speech microservices. This vulnerabilitiy has been addressed. Please read the...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to an out-of bounds-write in Linux kernel, [CVE-2024-53197]

Summary IBM Watson Speech Services Cartridge is vulnerable to an out-of bounds-write in Linux kernel, due to a false device tha can provide a bNumConfigurations value that exceeds the initial value used in usbgetconfiguration CVE-2024-53197. Linux kernel is used in our Speech microservices. This...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to an interger overflow in containerd [CVE-2024-40635]

Summary IBM Watson Speech Services Cartridge is vulnerable to an interger overflow in 'containerd', due to a flaw that allows containers launched with UID:GID larger than the maximum 32-bit signed integer,to cause a potential overflow condition CVE-2024-40635. Containerd is included as part of IB...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a denial of service in olang Parse [CVE-2024-45338]

Summary IBM Watson Speech Services Cartridge is vulnerable to a denial of service in olang Parse, caused by a flaw which allows specially crafted input that may result in extremely slow non-linear parsing CVE-2024-45338. is used in our speech utilities. This vulnerabilitiy has been addressed...

Security Bulletin: IBM Watson Speech Services Cartridge v4.8.8 is vulnerable to a denial of service in go-git [CVE-2025-21614]

Summary IBM Watson Speech Services Cartridge is vulnerable to a denial of service in go-git, caused by a flaw in in go-git clients that could alow attackers to provide specially crafted responses from a Git server which trigger a resource exhaustion CVE-2025-21614. Go-git is used in our...

Security Bulletin: IBM Watson Speech Services Cartridge v4.8.8 is vulnerable to an argument injection vulnerability in go-git [CVE-2025-21613]

Summary IBM Watson Speech Services Cartridge is vulnerable to an argument injection vulnerability in go-git, caused by a flaw which may allow an attacker to set arbitrary values to git-upload-pack flags CVE-2025-21613. Go-git is used in our ibm-watson-speech-catalog images. This vulnerabilitiy ha...

Security Bulletin: IBM Watson Speech Services Cartridge v4.8.8 is vulnerable to an uncontrolled resource consumption in Apache Commons IO [CVE-2024-47554]

Summary IBM Watson Speech Services Cartridge is vulnerable to an uncontrolled resource consumption in Apache Commons IO, due to a flaw in the org.apache.commons.io.input.XmlStreamReader class that may allow maliciously crafted input to excessively consume CPU resources while processing...

Security Bulletin: IBM Watson Speech Services Cartridge v4.8.8 is vulnerable to a server-side request forgery in logback-core [CVE-2024-12801]

Summary IBM Watson Speech Services Cartridge is vulnerable to a server-side request forgery in logback-core, due to a flaw in SaxEventRecorder by QOS.CH logback, that allows an attacker to forge requests by compromising logback configuration files in XML CVE-2024-12801. Logback-core is used in ou...

Security Bulletin: IBM Watson Speech Services Cartridge v4.8.8 is vulnerable to an arbitrary code execution in logback-core [CVE-2024-12798]

Summary IBM Watson Speech Services Cartridge is vulnerable to an arbitrary code execution in logback-core, caused by a flaw in the JaninoEventEvaluator extension, that allowsve environment variable injection before program execution CVE-2024-12798. Logback-core is used in our Speech microservices...

Security Bulletin: IBM Watson Speech Services Cartridge v4.8.8 is vulnerable to a denial of service in VMware Tanzu Spring [CVE-2024-38809]

Summary IBM Watson Speech Services Cartridge is vulnerable to a denial of service in VMware Tanzu Spring, caused by improper input validation CVE-2024-38809. VMware Tanzu Spring is used in our Speech microservices. This vulnerabilitiy has been addressed. Please read the details for remediation...

Security Bulletin: IBM Watson Speech Services Cartridge v4.8.8 is vulnerable to weak security in VMware Tanzu Spring [CVE-2024-38820]

Summary IBM Watson Speech Services Cartridge is vulnerable to weak security in VMware Tanzu Spring, caused by a flaw related to disallowedFields patterns and case insensitivity in DataBinder CVE-2024-38820. VMware Tanzu Spring is used in our Speech microservices. This vulnerabilitiy has been...

Security Bulletin: IBM Watson Speech Services Cartridge v4.8.8 is vulnerable to an authorization bypass in VMware Tanzu Spring [CVE-2024-38827]

Summary IBM Watson Speech Services Cartridge is vulnerable to an authorization bypass in VMware Tanzu Spring, due to Locale dependent exceptions in the usage of usage of String.toLowerCase and String.toUpperCase CVE-2024-38827. VMware Tanzu Spring is used in our Speech microservices. This...

Security Bulletin: IBM Watson Speech Services Cartridge v4.8.8 is vulnerable to a security information disclosure in VMware Tanzu Spring [CVE-2024-38819]

Summary IBM Watson Speech Services Cartridge is vulnerable to a security information disclosure in VMware Tanzu Spring, due to path traversal exposures through the functional web framework: WebMvc.fn or WebFlux.fn CVE-2024-38819. VMware Tanzu Spring is used in our Speech microservices. This...

Security Bulletin: IBM Watson Speech Services Cartridge v4.8.8 is vulnerable to a security information disclosure in VMware Tanzu Spring [CVE-2024-38816]

Summary IBM Watson Speech Services Cartridge is vulnerable to a security information disclosure in VMware Tanzu Spring, due to path traversal exposures through the functional web frameworks: WebMvc.fn or WebFlux.fnCVE-2024-38816. VMware Tanzu Spring is used in our Speech microservices. This...

Security Bulletin: IBM Watson Speech Services Cartridge v4.8.8 is vulnerable to a Race Condition vulnerability in Apache Tomcat [CVE-2024-50379]

Summary IBM Watson Speech Services Cartridge is vulnerable to a Race Condition vulnerability in Apache Tomcat, due to a case insensitive file system, caused by improper default installation settings CVE-2024-50379. Apache Tomcat is used in our Speech microservices. This vulnerabilitiy has been...

Security Bulletin: IBM Watson Speech Services Cartridge v4.8.8 is vulnerable to a Race Condition vulnerability in Apache Tomcat [CVE-2024-56337]

Summary IBM Watson Speech Services Cartridge is vulnerable to a Race Condition vulnerability in Apache Tomcat, due to a case insensitive file system, caused by improper default installation settings CVE-2024-56337. Apache Tomcat is used in our Speech microservices. This vulnerabilitiy has been...

Security Bulletin: IBM Watson Speech Services Cartridge v4.8.8 is vulnerable to a sensitive information exposure in urllib3 [CVE-2024-37891]

Summary IBM Watson Speech Services Cartridge is vulnerable to a sensitive information exposure in urllib3, caused by the failure to strip the Proxy-Authorization header during cross-origin redirects CVE-2024-37891. urllib3 is used in our Speech Service runtimes. This vulnerabilitiy has been...

Security Bulletin: IBM Watson Speech Services Cartridge v4.8.8 is vulnerable to a security restrictions bypass in Psf Requests [CVE-2024-35195]

Summary IBM Watson Speech Services Cartridge is vulnerable to a security restrictions bypass in Psf Requests, caused by an incorrect control flow implementation vulnerability CVE-2024-35195. Psf Requests is used in our Speech Service runtimes. This vulnerabilitiy has been addressed. Please read t...

Security Bulletin: IBM Watson Speech Services Cartridge v4.8.8 is vulnerable to cross-site scripting in Twisted [CVE-2024-41810]

Summary IBM Watson Speech Services Cartridge is vulnerable to to cross-site scripting in Twisted, caused by improper validation of user-supplied input by the HTTP redirect body CVE-2024-41810. Twisted is used by our Speech Service runtimes. This vulnerabilitiy has been addressed. Please read the...

Security Bulletin: IBM Watson Speech Services Cartridge v4.8.8 is vulnerable to a sensitive information exposure in Twisted [CVE-2024-41671]

Summary IBM Watson Speech Services Cartridge is vulnerable to a sensitive information exposure in Twisted, caused by a flaw in HTTP 1.0 and 1.1 server CVE-2024-41671. Twisted is used by our Speech Service runtimes. This vulnerabilitiy has been addressed. Please read the details for remediation...

Security Bulletin: IBM Watson Speech Services Cartridge v4.8.8 is vulnerable to an arbitrary code execution in Jinja [CVE-2024-56201]

Summary IBM Watson Speech Services Cartridge is vulnerable to an arbitrary code execution in Jinja, due to a bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code CVE-2024-56201. Jinja is used by our Speech Service...

Security Bulletin: IBM Watson Speech Services Cartridge v4.8.8 is vulnerable to an arbitrary code execution in Jinja [CVE-2024-56326]

Summary IBM Watson Speech Services Cartridge is vulnerable to an arbitrary code execution in Jinja, due to an oversight in how the Jinja sandboxed environment detects calls to str.format, which allows an attacker that controls the content of a template to execute arbitrary Python code...

Security Bulletin: IBM Watson Speech Services Cartridge v4.8.8 is vulnerable to an information disclosure in PostgreSQL [CVE-2024-4317]

Summary IBM Watson Speech Services Cartridge is vulnerable to an information disclosure in PostgreSQL, caused by a missing authorization in PostgreSQL built-in views pgstatsext and pgstatsextexprs CVE-2024-4317. PostgreSQL is used by our Speech Service utilities. This vulnerabilitiy has been...

Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Monitor (CVE-2025-27907)

Summary IBM WebSphere Application Server is shipped as a component of Business Monitor. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixe...

Security Bulletin: Security Vulnerabilities in node.js packages affect IBM Voice Gateway

Summary Security Vulnerabilities in node.js packages affect IBM Voice Gateway. The vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2024-57965 DESCRIPTION: In axios before 1.7.8, lib/helpers/isURLSameOrigin.js does not use a URL object when determining an origin, and has a...

Security Bulletin: IBM Watson Speech Services Cartridge v4.8.8 is vulnerable to a security bypass in Golang Go [CVE-2024-45337]

Summary IBM Watson Speech Services Cartridge is vulnerable to an authorization bypass in Golang Go, caused by applications and libraries which misuse connection.serverAuthenticate via callback field ServerConfig.PublicKeyCallback CVE-2024-45337. Golang Go is used by our Speech Service utilities...

Security Bulletin: IBM Watson Speech Services Cartridge v4.8.8 is vulnerable to Remote Code Execution and/or Information disclosure and/or malicious content in Apache Tomcat [CVE-2025-24813]

Summary IBM Watson Speech Services Cartridge is vulnerable to Remote Code Execution and/or Information disclosure and/or malicious content in Apache Tomcat, due to a Path Equivalence issue with 'file.Name' Internal Dot CVE-2025-24813. Apache Tomcat is used in our Speech microservices. This...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to Remote Code Execution and/or Information disclosure and/or malicious content in Apache Tomcat [CVE-2025-24813]

Summary IBM Watson Speech Services Cartridge is vulnerable to Remote Code Execution and/or Information disclosure and/or malicious content in Apache Tomcat, due to a Path Equivalence issue with 'file.Name' Internal Dot CVE-2025-24813. Apache Tomcat is used in our Speech microservices. This...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to arbitrary code execution in FreeType [CVE-2025-27363]

Summary IBM Watson Speech Services Cartridge is vulnerable to arbitrary code execution in C, due to an out of bounds write that assigns incorrect values causing under-allocation to a heap buffer. CVE-2025-27363. Free Type is used in our Base OS images. This vulnerabilitiy has been addressed. Plea...

Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to libxml2, Go JOSE and FreeType

Summary libxml2, Go JOSE, FreeType and IBM MQ used by IBM MQ Operator and Queue Manager container images are vulnerable to memory exhaustion and a Denial of Service by sending numerous malformed tokens, and arbitrary code execution by writing up to 6 signed long integers out of bounds. This...