35634 matches found
Security Bulletin: IBM Watson Speech Services Cartridge v4.8.8 is vulnerable to an arbitrary code execution in Jinja [CVE-2024-56326]
Summary IBM Watson Speech Services Cartridge is vulnerable to an arbitrary code execution in Jinja, due to an oversight in how the Jinja sandboxed environment detects calls to str.format, which allows an attacker that controls the content of a template to execute arbitrary Python code...
Security Bulletin: IBM Watson Speech Services Cartridge v4.8.8 is vulnerable to an information disclosure in PostgreSQL [CVE-2024-4317]
Summary IBM Watson Speech Services Cartridge is vulnerable to an information disclosure in PostgreSQL, caused by a missing authorization in PostgreSQL built-in views pgstatsext and pgstatsextexprs CVE-2024-4317. PostgreSQL is used by our Speech Service utilities. This vulnerabilitiy has been...
Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Monitor (CVE-2025-27907)
Summary IBM WebSphere Application Server is shipped as a component of Business Monitor. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixe...
Security Bulletin: Security Vulnerabilities in node.js packages affect IBM Voice Gateway
Summary Security Vulnerabilities in node.js packages affect IBM Voice Gateway. The vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2024-57965 DESCRIPTION: In axios before 1.7.8, lib/helpers/isURLSameOrigin.js does not use a URL object when determining an origin, and has a...
Security Bulletin: IBM Watson Speech Services Cartridge v4.8.8 is vulnerable to a security bypass in Golang Go [CVE-2024-45337]
Summary IBM Watson Speech Services Cartridge is vulnerable to an authorization bypass in Golang Go, caused by applications and libraries which misuse connection.serverAuthenticate via callback field ServerConfig.PublicKeyCallback CVE-2024-45337. Golang Go is used by our Speech Service utilities...
Security Bulletin: IBM Watson Speech Services Cartridge v4.8.8 is vulnerable to Remote Code Execution and/or Information disclosure and/or malicious content in Apache Tomcat [CVE-2025-24813]
Summary IBM Watson Speech Services Cartridge is vulnerable to Remote Code Execution and/or Information disclosure and/or malicious content in Apache Tomcat, due to a Path Equivalence issue with 'file.Name' Internal Dot CVE-2025-24813. Apache Tomcat is used in our Speech microservices. This...
Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to Remote Code Execution and/or Information disclosure and/or malicious content in Apache Tomcat [CVE-2025-24813]
Summary IBM Watson Speech Services Cartridge is vulnerable to Remote Code Execution and/or Information disclosure and/or malicious content in Apache Tomcat, due to a Path Equivalence issue with 'file.Name' Internal Dot CVE-2025-24813. Apache Tomcat is used in our Speech microservices. This...
Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to arbitrary code execution in FreeType [CVE-2025-27363]
Summary IBM Watson Speech Services Cartridge is vulnerable to arbitrary code execution in C, due to an out of bounds write that assigns incorrect values causing under-allocation to a heap buffer. CVE-2025-27363. Free Type is used in our Base OS images. This vulnerabilitiy has been addressed. Plea...
Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to libxml2, Go JOSE and FreeType
Summary libxml2, Go JOSE, FreeType and IBM MQ used by IBM MQ Operator and Queue Manager container images are vulnerable to memory exhaustion and a Denial of Service by sending numerous malformed tokens, and arbitrary code execution by writing up to 6 signed long integers out of bounds. This...
Security Bulletin: An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing, affects watsonx.data
Summary An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could affect watsonx.data. Vulnerability Details CVEID:CVE-2024-45338 DESCRIPTION: An attacker can craft an input to the Parse...
Security Bulletin:VMware Tanzu Spring Framework could provide weaker than expected security, affects watsonx.data
Summary VMware Tanzu Spring Framework could provide weaker than expected securitycaused by a flaw related to disallowedFields patterns in DataBinder is case insensitive. This could affect watsonx.data. Vulnerability Details CVEID:CVE-2024-38820 DESCRIPTION: VMware Tanzu Spring Framework could...
Security Bulletin:The OSM – OpenStreetMap plugin for WordPress is vulnerable to Stored Cross-Site Scripting, affects watsonx.data
Summary The OSM – OpenStreetMap plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'osmmap' shortcode in all versions up to, and including, 6.0.2 due to insufficient input sanitization and output escaping on user supplied attributes such as 'theme'. This could affe...
Security Bulletin: IBM Maximo Asset Management application is vulnerable to unrestricted file upload( CVE-2024-45088)
Summary IBM Maximo Asset Management is vulnerable to stored cross-site scripting. This vulnerability allows authenticated users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session...
Security Bulletin: IBM® Db2® is vulnerable to sensitive information disclosure when using ADMIN_CMD with IMPORT or EXPORT (CVE-2023-38729)
Summary IBM® Db2® is vulnerable to sensitive information disclosure when using ADMINCMD with IMPORT or EXPORT. Note: In addition to applying Special Build, registry variable DB2LOADRESTRICTEDIOPATH needs to be set to USEEXTBLLOCATION 11.1 or later, or one or more semi-colon separated paths. When...
Security Bulletin: IBM® Db2® could disclose sensitive information when using ADMIN_CMD with LOAD or BACKUP. (CVE-2021-29825)
Summary IBM® Db2® could disclose sensitive information when using ADMINCMD with LOAD or BACKUP. Note: In addition to applying Special Build, registry variable DB2LOADRESTRICTEDIOPATH needs to be set to USEEXTBLLOCATION 11.1 or later, or one or more semi-colon separated paths. When using...
Security Bulletin: IBM Cognos Analytics is vulnerable to Malicious File Upload and EL Injection vulnerabilities (CVE-2024-40695, CVE-2024-51466)
Summary IBM Cognos Analytics is considered vulnerable to a Malicious File Upload which could allow a privileged user to upload malicious files that can be automatically processed within the product CVE-2024-40695 and an Expression Language EL Injection which could allow a remote attacker to explo...
Security Bulletin: IBM Cognos Analytics has addressed a vulnerability in FreeType (CVE-2025-27363)
Summary IBM Cognos Analytics is considered affected by an arbitrary code execution in FreeType CVE-2025-27363. Freetype is used by IBM Cognos Analytics to render fonts. Vulnerability Details CVEID:CVE-2025-27363 DESCRIPTION: An out of bounds write exists in FreeType versions 2.13.0 and below newe...
Security Bulletin: IBM WebSphere Automation is vulnerable to an arbitrary code execution (CVE-2025-27363).
Summary IBM WebSphere Automation is vulnerable to an arbitrary code execution. Vulnerability Details CVEID:CVE-2025-27363 DESCRIPTION: An out of bounds write exists in FreeType versions 2.13.0 and below newer versions of FreeType are not vulnerable when attempting to parse font subglyph structure...
Security Bulletin: IBM Tivoli Composite Application Manager for Application Diagnostics installed IBM WebSphere Application Server is vulnerable to server-side request forgery (CVE-2025-27907)
Summary The security issue described in CVE-2025-27907 has been identified in the WebSphere Application Server included as part of IBM Tivoli Composite Application Manager for Application Diagnostics. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section...
Security Bulletin: Multiple Vulnerabilities in IBM Concert Software.
Summary Multiple vulnerabilities were addressed in IBM Concert Software version 1.1.0 Vulnerability Details CVEID:CVE-2024-55909 DESCRIPTION: IBM Concert Software could allow an authenticated user to cause a denial of service due to the expansion of archive files without controlling resource...
Security Bulletin: Vulnerabilities in JAR files affect Transparent Cloud Tiering in IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products
Summary Vulnerabilities in multiple JAR files affect Transparent Cloud Tiering in IBM SAN Volume Controller, IBM Storwize, IBM Storage Virtualize and IBM FlashSystem products. The vulnerabilities are not thought to be exploitable but IBM recommends upgrade for users of Transparent Cloud Tiering...
Security Bulletin: IBM Spectrum Symphony with Node.js various security issues
Summary IBM Spectrum Symphony with Node.js various security issues Vulnerability Details CVEID:CVE-2023-23920 DESCRIPTION: Node.js could allow a remote authenticated attacker to bypass security restrictions, caused by improper access control. By sending a specially-crafted request using ICUDATA...
Security Bulletin: InfoSphere Data Replication is affected by multiple postgresql vulnerbilities
Summary InfoSphere Data Replication uses postgresql. This bulletin identifies the steps to take to address the vulnerability. Vulnerability Details CVEID:CVE-2022-26520 DESCRIPTION: pgjdbc could allow a remote attacker to execute arbitrary code on the system, caused by the external control of the...
Security Bulletin: IBM Observability with Instana (OnPrem) is affected by multiple security vulnerabilities
Summary Multiple vulnerabilities were remediated in IBM Observability with Instana OnPrem build 1.0.293 Vulnerability Details CVEID:CVE-2024-53382 DESCRIPTION: Prism aka PrismJS through 1.29.0 allows DOM Clobbering with resultant XSS for untrusted input that contains HTML but does not directly...
Security Bulletin: IBM Cognos Transformer has addressed a vulnerability in FreeType (CVE-2025-27363)
Summary IBM Cognos Transformer is considered affected by an arbitrary code execution in FreeType CVE-2025-27363. Vulnerability Details CVEID:CVE-2025-27363 DESCRIPTION: An out of bounds write exists in FreeType versions 2.13.0 and below newer versions of FreeType are not vulnerable when attemptin...
Security Bulletin: IBM Cognos PowerPlay has addressed a vulnerability in FreeType (CVE-2025-27363)
Summary IBM Cognos PowerPlay is considered affected by an arbitrary code execution in FreeType CVE-2025-27363. Vulnerability Details CVEID:CVE-2025-27363 DESCRIPTION: An out of bounds write exists in FreeType versions 2.13.0 and below newer versions of FreeType are not vulnerable when attempting ...
Security Bulletin: Security vulnerabilities affect libxml2 and gcc packages shipped with IBM CICS TX Advanced.
Summary IBM CICS TX Advanced is impacted by security vulnerabilities found in packages libxml2 and gcc. IBM CICS TX Advanced has been updated in order to address these vulnerabilities. Vulnerability Details CVEID:CVE-2022-49043 DESCRIPTION: xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11....
Security Bulletin: Multiple vulnerabilities have been found in IBM CICS TX Standard.
Summary IBM CICS TX Standard has been updated in order to address multiple vulnerabilities. Vulnerability Details CVEID:CVE-2022-49043 DESCRIPTION: xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11.0 has a use-after-free. CWE:CWE-416: Use After Free CVSS Source: [email protected] CVSS Base scor...
Security Bulletin: DataStage on Cloud Pak for Data is vulnerable to denial of service due to OpenSSL (CVE-2022-0778)
Summary OpenSSL is used by DataStage on Cloud Pak for Data as part of secure network communication. Vulnerability Details CVEID:CVE-2022-0778 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a flaw in the BNmodsqrt function when parsing certificates. By using a specially-craft...
Security Bulletin: DataStage on Cloud Pak for Data is vulnerable to arbitrary code execution due to Apache Avro (CVE-2024-47561)
Summary Apache Avro is used by DataStage on Cloud Pak for Data as part of data serialization. Vulnerability Details CVEID:CVE-2024-47561 DESCRIPTION: Apache Avro could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a flaw in schema parsing in the Java SDK...
Security Bulletin: There is an Out-of-Bounds write vulnerability in MIT's Kerberos 5 that is shipped with IBM TXSeries for Multiplatforms (CVE-2025-24528).
Summary There is an Out-of-Bounds write vulnerability in MIT's Kerberos 5 that is shipped with IBM TXSeries for Multiplatforms CVE-2025-24528. MIT's Kerberos 5 is a network authentication protocol that is used by IBM TXSeries for Multiplatforms. An update to IBM TXSeries for Multiplatforms has be...
Security Bulletin: IBM WebSphere Application Server shipped with Jazz for Service Management (JazzSM) is vulnerable to server-side request forgery (CVE-2025-27907)
Summary IBM WebSphere Application Server shipped with Jazz for Service Management JazzSM is vulnerable to server-side request forgery. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions Affected Products| Versions ---|---...
Security Bulletin: Multiple Vulnerabilities in IBM API Connect
Summary Multiple vulnerabilities were addressed in IBM API Connect version 10.0.8.2-ifix1 Vulnerability Details CVEID:CVE-2025-1974 DESCRIPTION: A security issue was discovered in Kubernetes where under certain conditions, an unauthenticated attacker with access to the pod network can achieve...
Security Bulletin: Multiple vulnerabilities in IBM Rapid Infrastructure Automation
Summary Multiple vulnerabilities were addressed in IBM Rapid Infrastructure Automation v1.1.5 Vulnerability Details CVEID:CVE-2024-47875 DESCRIPTION: DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMpurify was vulnerable to nesting-based mXSS. This...
Security Bulletin: IBM Security Guardium is affected by multiple kernel vulnerabilities
Summary IBM Security Guardium has addressed these vulnerabilities in an update Vulnerability Details CVEID:CVE-2024-26669 DESCRIPTION: Linux Kernel could allow a local authenticated attacker to obtain sensitive information, caused by a chain template offload flaw in net/sched. By sending a...
Security Bulletin: IBM Engineering Lifecycle Management is vulnerable to Javascript Injection. (CVE-2021-29669)
Summary Summary guidance: IBM Engineering Lifecycle Management - IBM Jazz is vulnerable to Javascript Injection. This bulletin contains information regarding vulnerabilities and remediation actions. Vulnerability Details CVEID:CVE-2021-29669 DESCRIPTION: IBM Jazz Foundation is vulnerable to...
Security Bulletin: Red Hat OpenShift on IBM Cloud is affected by a cri-o security vulnerability (CVE-2024-9676)
Summary Red Hat OpenShift on IBM Cloud is affected by a security vulnerability found in the cri-o component which a remote authenticated attacker could exploit to cause a denial of service condition. CVE-2024-9676 Vulnerability Details CVEID: CVE-2024-9676 Description: Podman, Buildah and CRI-O a...
Security Bulletin: Red Hat OpenShift on IBM Cloud is affected by a cri-o security vulnerability (CVE-2024-5154)
Summary Red Hat OpenShift on IBM Cloud is affected by a security vulnerability found in the cri-o component which could allow an attacker to send a specially crafted URL request containing "dot dot" sequences /../ to read and write arbitrary files on the system. Vulnerability Details CVEID:...
Security Bulletin: IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities
Summary IBM Cloud Transformation Advisor has addressed multiple security vulnerabilities listed herein. Vulnerability Details CVEID:CVE-2023-49569 DESCRIPTION: go-git could allow a remote attacker to traverse directories on the system. By sending a specially crafted request using the ChrootOS...
Security Bulletin: Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation Fixes for April 2024.
Summary In addition to OS level package updates, multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation 21.0.3-IF032 and 23.0.2-IF004. Vulnerability Details CVEID:CVE-2024-22353 DESCRIPTION: IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.4 is...
Security Bulletin: IBM Security Verify Governance - Identity Manager has multiple vulnerabilities
Summary Multiple security vulnerabilities have been addressed in updates to IBM Security Verify Governance - Identity Manager software component and IBM Security Verify Governance - Identity Manager virtual appliance component. Vulnerability Details CVEID:CVE-2024-38809 DESCRIPTION: VMware Tanzu...
Security Bulletin: Order Management is subject to various OS vulnerabilites which could have allowed attacker various entry points into application.
Summary Order Management has updated the container OS version and remediated to the point of code freeze. This bulletin identifies the steps to take to address the vulnerabilities by updating to the very latest OS version. Vulnerability Details CVEID:CVE-2022-2923 DESCRIPTION: Vim is vulnerable t...
Security Bulletin: Several vulnerabilities affect Watson Machine Learning Accelerator on Cloud Pak for Data 5.0.0
Summary Several vulnerabilities in Watson Machine Learning Accelerator on Cloud Pak for Data 5.0.0 have been fixed in Watson Machine Learning Accelerator on Cloud Pak for Data 5.0 latest refresh. Vulnerability Details CVEID:CVE-2024-3568 DESCRIPTION: Hugging Face Transformers could allow a remote...
Security Bulletin: Red Hat OpenShift on IBM Cloud is affected by a Kubernetes API server security vulnerability (CVE-2023-1260)
Summary Red Hat OpenShift on IBM Cloud is affected by a security vulnerability in the Kubernetes API server that may allow an authenticated user evade security context constraints SCCs admission restrictions, thereby gaining control of a privileged pod CVE-2023-1260. Vulnerability Details CVEID:...
Security Bulletin: IBM Spectrum Control is vulnerable to multiple weaknesses related to Node.js
Summary Vulnerabilities in Node.js such as remote attacker bypass security restrictions may affect IBM Spectrum Control. Vulnerability Details CVEID:CVE-2023-30581 DESCRIPTION: Node.js could allow a remote attacker to bypass security restrictions, caused by the use of proto in...
Security Bulletin: IBM Safer Payments vulnerable to Denial Of Service Attacks (CVE-2020-4729)
Summary IBM Safer Payments can be crashed by sending specially crafted API calls. This vulnerability has been addressed. Vulnerability Details CVEID:CVE-2020-4729 DESCRIPTION: IBM Counter Fraud Management for Safer Payments could allow an authenticated attacker under special circumstances to send...
Security Bulletin: A security vulnerability has been identified in IBM HTTP Server shipped with IBM WebSphere Remote Server (CVE-2022-25690)
Summary IBM HTTP Server is shipped with IBM WebSphere Remote Server. Information about a security vulnerability affecting IBM HTTP Server has been published in a security bulletin. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and...
Security Bulletin: IBM Spectrum Protect Plus vulnerability discloses sensitive information due to unencrypted data in transit (CVE-2020-4497)
Summary IBM Spectrum Protect Plus does not encrypt data transfer between vSnap servers and application agents. This could allow an attacker to view senstive information in transit. Vulnerability Details CVEID:CVE-2020-4497 DESCRIPTION: IBM Spectrum Protect Plus discloses sensitive information due...
Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities
Summary IBM Security Guardium has fixed these vulnerabilities. Vulnerability Details CVEID:CVE-2021-39077 DESCRIPTION: IBM Security Guardium stores user credentials in plain clear text which can be read by a local privileged user. CVSS Base score: 4.4 CVSS Temporal Score: See:...
Security Bulletin: IBM InfoSphere Information Server is vulnerable to information disclosure (CVE-2022-22442)
Summary An information disclosure vulnerability due to improper access controls was addressed in InfoSphere Information Server. Vulnerability Details CVEID:CVE-2022-22442 DESCRIPTION: IBM InfoSphere Information Server could allow an authenticated user to access information restricted to users wit...