35661 matches found
Security Bulletin: IBM Robotic Process Automation is vulnerable to man in the middle attacks through manipulation of client proxy (CVE-2022-36774)
Summary IBM Robotic Process automation is vulnerable to man in the middle attacks through manipulation of the client proxy configuration. Vulnerability Details CVEID:CVE-2022-36774 DESCRIPTION: IBM Robotic Process automation is vulnerable to man in the middle attacks through manipulation of the...
Security Bulletin: IBM Robotic Process Automation for Cloud Pak is vulnerable to cross site scripting (CVE-2022-38709)
Summary IBM Robotic Process Automation for Cloud Pak is vulnerable to cross site scripting through DOM manipulation. Vulnerability Details CVEID:CVE-2022-38709 DESCRIPTION: IBM Robotic Process Automation for Cloud Pak is vulnerable to cross-site scripting. This vulnerability allows users to embed...
Security Bulletin: IBM Robotic Process Automation is vulnerable to cross origin resource shareing using the bot api (CVE-2022-41294)
Summary IBM Robotic Process Automation is vulnerable to cross origin resource sharing using the bot api. Vulnerability Details CVEID:CVE-2022-41294 DESCRIPTION: IBM Robotic Process Automation is vulnerable to cross origin resource sharing using the bot api. CVSS Base score: 6.5 CVSS Temporal Scor...
Security Bulletin: IBM Robotic Process Automation is vulnerable to proxy credential exposure in upgrade logs (CVE-2022-39168)
Summary IBM Robotic Process Automation Client is vulnerable to proxy credential exposure in upgrade logs. Vulnerability Details CVEID:CVE-2022-39168 DESCRIPTION: IBM Robotic Process Automation Clients are vulnerable to proxy credentials being exposed in upgrade logs. CVSS Base score: 4.6 CVSS...
Security Bulletin: IBM Cloud Pak for Data is vulnerable to use-after-free due to systemd ( CVE-2022-2526 )
Summary Systemd is used by IBM Cloud Pak for Data as part of the base OS image. CVE-2022-2526 Vulnerability Details CVEID:CVE-2022-2526 DESCRIPTION: systemd could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free flaw due to the onstreamio function and...
Security Bulletin: Multiple Vulnerabilities in CloudPak for Watson AIOps
Summary Multiple vulnerabilities were addressed in IBM Cloud Pak for Watson AIOps version 4.1.1 Vulnerability Details CVEID:CVE-2021-40528 DESCRIPTION: GnuPG Libgcrypt could allow a remote attacker to bypass security restrictions, caused by a flaw in the ElGamal implementation. By sending a...
Security Bulletin: A Security Vulnerability was fixed in IBM Application Gateway.
Summary IBM Security Application Gateway is vulnerable to cross-site scripting. This has been fixed in IBM Application Gateway 22.07 Vulnerability Details CVEID:CVE-2022-22387 DESCRIPTION: IBM Application Gateway is vulnerable to cross-site scripting. This vulnerability allows users to embed...
Security Bulletin: Information disclosure vulnerability in IBM QRadar User Behavior Analytics (CVE-2022-36771)
Summary Non-Admin access to some admin level information was available if users had correct paths to the information. Checks were added to authorize access even when it is not initiated from the user interface. Vulnerability Details CVEID:CVE-2022-36771 DESCRIPTION: IBM QRadar User Behavior...
Security Bulletin: IBM InfoSphere Information Server is affected by a session management vulnerability (CVE-2022-41291)
Summary IBM InfoSphere Information Server is affected by a session management vulnerability. Vulnerability Details CVEID:CVE-2022-41291 DESCRIPTION: IBM InfoSphere Information Server does not invalidate session after logout which could allow an authenticated user to impersonate another user on th...
Security Bulletin: XML External Entity Injection (XXE) attack Affects IBM Partner Engagement Manager (CVE-2022-34348)
Summary IBM Sterling Partner Engagement Manager is vulnerable to an XML External Entity Injection XXE attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. Vulnerability Details CVEID:CVE-2022-34348...
Security Bulletin: IBM Maximo Asset Management is vulnerable to authentication bypass (CVE-2022-40616)
Summary IBM Maximo Asset Management is vulnerable to authentication bypass. Vulnerability Details CVEID:CVE-2022-40616 DESCRIPTION: IBM Maximo Asset Management could allow a user to bypass authentication and obtain sensitive information or perform tasks they should not have access to. CVSS Base...
Security Bulletin: Directory traversal attack in IBM Spectrum Protect Plus Microsoft File Systems Backup and Restore (CVE-2022-40608)
Summary The IBM Spectrum Protect Plus Microsoft File Systems restore operation is vulnerable to a directory traversal attack which can result in gaining access to unauthorized files . Vulnerability Details CVEID:CVE-2022-40608 DESCRIPTION: IBM Spectrum Protect Plus Microsoft File Systems restore...
Security Bulletin: Insecure handling of TLS certificates by IBM Spectrum Protect Plus (CVE-2022-40234)
Summary IBM Spectrum Protect Plus incorrectly handles TLS certificates which can result in an attacker obtaining private key information for the uploaded certificate. Vulnerability Details CVEID:CVE-2022-40234 DESCRIPTION: Versions of IBM Spectrum Protect Plus prior to 10.1.12 excluding 10.1.12...
Security Bulletin: Provision to add https and Secure Flag to bayeux_browser cookie for IBM Control Desk.
Summary BAYEUXBROWSER cookie is generated from Cometd Server and it remains live with the session. In older versions of cometd server, BAYEUXBROWSER cookie was neither true for https nor for secure. But in the current version ie. 5.0.3, there is a provision to make the cookie true for https and...
Security Bulletin: AIX is vulnerable to a privilege escalation vulnerability due to invscout (CVE-2022-36768)
Summary A vulnerability in the AIX invscout command could allow a non-privileged local user to obtain root privileges CVE-2022-36768. Vulnerability Details CVEID:CVE-2022-36768 DESCRIPTION: IBM AIX could allow a non-privileged local user to exploit a vulnerability in the invscout command to obtai...
Security Bulletin: AIX is vulnerable to a privilege escalation vulnerability (CVE-2022-34356)
Summary UPDATED Oct 10 Added iFixes with the correct prereqs for VIOS 3.1.2.30 and 3.1.2.40: A vulnerability in the AIX kernel could allow a non-privileged local user to obtain root privileges CVE-2022-34356. Vulnerability Details CVEID:CVE-2022-34356 DESCRIPTION: IBM AIX could allow a...
Security Bulletin: IBM Aspera Faspex 5.0.x affected by vulnerability (CVE-2022-22403)
Summary Aspera Faspex 5.0.2 has addressed the following vulnerability. Vulnerability Details CVEID:CVE-2022-22403 DESCRIPTION: IBM Aspera Faspex 5 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link...
Security Bulletin: IBM Aspera Faspex 5.0.0/5.0.1 affected by vulnerability (CVE-2022-22399)
Summary This security bulletin addresses a HTTP header injection vulnerability that have been remediated in IBM Aspera Faspex 5.0.2. Vulnerability Details CVEID:CVE-2022-22399 DESCRIPTION: IBM Aspera Faspex 5 is vulnerable to HTTP header injection, caused by improper validation of input by the HO...
Security Bulletin: DataStage on Cloud Pak for Data Is Vulnerable to Sensitive Information Disclosure Error (CVE-2022-38714)
Summary A vulnerability in DataStage on Cloud Pak for Data had the potential of exposing database connection details database names, database user-id, database credential to authorized users with Cluster Admin role had they performed remote access to running datastage containers that was processi...
Security Bulletin: A security vulnerability has been fixed in IBM Security Identity Manager (CVE-2021-29864)
Summary A security vulnerability has been fixed in IBM Security Identity Manager. Vulnerability Details CVEID:CVE-2021-29864 DESCRIPTION: IBM Security Identity Manager could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a...
Security Bulletin: Custom "Execution States" names on IBM Engineering Test Management TCER pages are vulnerable to XSS ( CVE-2021-38934 )
Summary ETM allows customization of "Execution States" names, allowing the injection of XSS payloads and making them vulnerable to XSS. Custom values into the names of "Execution States" are not encoded while displaying them on the "Test Cases Execution Records" TCER pages, allowing the execution...
Security Bulletin: IBM Planning Analytics Workspace is affected by multiple vulnerabilities (CVE-2022-22968, CVE-2022-24785, CVE-2017-18214, CVE-2016-4055, CVE-2018-1000613, CVE-2020-15522, CVE-2018-1000180, CVE-2020-26939, CVE-2022-22314)
Summary IBM Planning Analytics Workspace is affected by multiple vulnerabilities. Spring is used in IBM Planning Analytics Workspace in Server-Side Rest APIs as an indirect dependency by MongoDB that is used to store content CVE-2022-22968. Node.js moment is used in IBM Planning Analytics Workspa...
Security Bulletin: IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite are vulnerable to cross-site scripting (CVE-2022-35714)
Summary IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite are vulnerable to cross-site scripting. Vulnerability Details CVEID:CVE-2022-35714 DESCRIPTION: IBM Maximo Asset Management is vulnerable to cross-site scripting. This vulnerability allows...
Security Bulletin: This Power System update is being released to address CVE 2021-29891
Summary POWER9: In response to a security issue with BMC's HTTPS server, a new Power System firmware update is being released to address Common Vulnerabilities and Exposures issue number CVE 2021-29891. Vulnerability Details CVEID:CVE-2021-29891 DESCRIPTION: IBM OPENBMC could allow a privileged...
Security Bulletin: A security vulnerability has been fixed in IBM Security Verify Governance, Identity Manager virtual appliance component (CVE-2022-22455)
Summary IBM Security Verify Governance, Identity Manager virtual appliance component has addressed the following vulnerability. Vulnerability Details CVEID:CVE-2022-22455 DESCRIPTION: IBM Security Verify Identity Manager performs an operation at a privilege level that is higher than the minimum...
Security Bulletin: IBM Sterling B2B Integrator Dashboard UI is vulnerable to sensitive information exposure (CVE-2021-39087)
Summary IBM Sterling B2B Integrator dashboard UI has addressed a sensitive information exposure security vulnerability. Vulnerability Details CVEID:CVE-2021-39087 DESCRIPTION: IBM Sterling B2B Integrator Standard Edition could allow an authenticated user to obtain sensitive information due to...
Security Bulletin: IBM Sterling File Gateway is vulnerable to information disclosure (CVE-2021-39086)
Summary IBM Sterling File Gateway has addressed the an information discloure vulnerability. Vulnerability Details CVEID:CVE-2021-39086 DESCRIPTION: IBM Sterling File Gateway could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the...
Security Bulletin: IBM Sterling B2B Integrator Dashboard UI is vulner to SQL Injection (CVE-2021-39085)
Summary IBM Sterling B2B Integrator dashboard UI has addressed an SQL injection vulnerability. Vulnerability Details CVEID:CVE-2021-39085 DESCRIPTION: IBM Sterling B2B Integrator Standard Edition is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which...
Security Bulletin: IBM Sterling B2B Integrator Dashboard UI is vulnerable to XSS (CVE-2021-39035)
Summary IBM Sterling B2B Integrator dashboard UI is vulnerable to cross-site scription XSS. The issue has been addressed. Vulnerability Details CVEID:CVE-2021-39035 DESCRIPTION: IBM Sterling B2B Integrator Standard Edition is vulnerable to cross-site scripting. This vulnerability allows users to...
Security Bulletin: IBM InfoSphere Information Server Low Level Authenticated User Can View Higher Level User And Group Listing (CVE-2022-36772)
Summary A vulnerability in IBM InfoSphere Information Server allowed lower level authenticated user to view other users and groups list. The scope of the vulnerability was limited in nature. The flaw gave such users VIEW access only. This vulnerabity was addressed. Vulnerability Details...
Security Bulletin: IBM Workload Scheduler is vulnerable to arbitrary file creation vulnerability due to CVE-2022-22369 affecting JLOG component
Summary The Jlog component on the Master Domain Manager of IBM Workload Scheduler permits an unauthenticated user to interact with the system making it possible to modify the way the service works or modify system files. Vulnerability Details CVEID:CVE-2022-22369 DESCRIPTION: IBM Workload...
Security Bulletin: IBM InfoSphere Information Server is affected by an Information disclosure vulnerability (CVE-2022-35715)
Summary An Information disclosure vulnerability in InfoSphere Information Server was addressed. Vulnerability Details CVEID:CVE-2022-35715 DESCRIPTION: IBM InfoSphere Information Server could allow a remote attacker to obtain sensitive information when a detailed technical error message is return...
Security Bulletin: A vulnerability has been identified in IBM Spectrum Scale Data Access Services (DAS) where service account token configured with risky permission (CVE-2022-22411)
Summary A security vulnerability has been identified in IBM Spectrum Scale Data Access Services DAS where service account token configured with risky permission. A fix for this vulnerability is available. Vulnerability Details CVEID:CVE-2022-22411 DESCRIPTION: IBM Spectrum Scale could allow an...
Security Bulletin: IBM Robotic Process Automation is vulnerable to disclosing sensitive information due to improper privilege management for storage provider types (CVE-2022-34338)
Summary IBM Robotic Process Automation is vulnerable to disclosing sensitive information due to improper privilege management for storage provider types CVE-2022-34338 Vulnerability Details CVEID:CVE-2022-34338 DESCRIPTION: IBM Robotic Process Automation could disclose sensitive information due t...
Security Bulletin: Urbancode Deploy is vulnerable to incorrect authorization reading Component Processes ( CVE-2022-35716 )
Summary Component process security checks can sometimes grant read-level access to users that do not have access if the process is owned by a Component Template and an endpoint performs multiple validations. Vulnerability Details CVEID:CVE-2022-35716 DESCRIPTION: IBM UrbanCode Deploy UCD could...
Security Bulletin: IBM Robotic Process Automation is vulnerable to exposure of tenant credentials (CVE-2022-22505)
Summary Security Bulletin: IBM Robotic Process Automation is vulnerable to exposure of tenant credentials CVE-2022-22505 Vulnerability Details CVEID:CVE-2022-22505 DESCRIPTION: IBM Robotic Process Automation contains a vulnerability that could allow IBM tenant credentials to be exposed. CVSS Base...
Security Bulletin: IBM PowerVM VIOS could allow a remote attacker to tamper with system configuration or cause a denial of service (CVE-2022-35643)
Summary A vulnerability in IBM PowerVM VIOS could allow a remote attacker to tamper with system configuration or cause a denial of service CVE-2022-35643. Vulnerability Details CVEID:CVE-2022-35643 DESCRIPTION: IBM PowerVM VIOS could allow a remote attacker to tamper with system configuration or...
Security Bulletin: IBM QRadar SIEM is vulnerable to local privilege escalation (CVE-2021-39088)
Summary IBM QRadar SIEM is vulnerable to local privilege escalation if this could be combined with other unknown vulnerabilities then privilege escalation could be performed. IBM QRadar SIEM has addressed the applicable CVE. Vulnerability Details CVEID:CVE-2021-39088 DESCRIPTION: IBM QRadar SIEM ...
Security Bulletin: IBM Sterling Partner Engagement Manager is vulnerable to Slowloris HTTP DOS attack (CVE-2022-35639)
Summary IBM Sterling Partner Engagement Manager is vulnerable to Slowloris attack is a type of denial-of-service DoS attack which targets threaded web servers. The issue has been addressed. Vulnerability Details CVEID:CVE-2022-35639 DESCRIPTION: IBM Sterling Partner Engagement Manager do not limi...
Security Bulletin: IBM QRadar SIEM is vulnerable to infomation disclosured due to incorrect file permissions (CVE-2022-22424)
Summary IBM QRadar could allow a local user to obtain sensitive information from the TLS key file due to incorrect file permissions. IBM QRadar SIEM has addressed the applicable CVE. Vulnerability Details CVEID:CVE-2022-22424 DESCRIPTION: IBM QRadar could allow a local user to obtain sensitive...
Security Bulletin: IBM QRadar SIEM is vulnerable to improper certificate validation (CVE-2021-29755)
Summary IBM Qradar SIEM does not preform proper certificate validation for some inter-host communications. IBM QRadar SIEM has addressed the applicable CVE. Vulnerability Details CVEID:CVE-2021-29755 DESCRIPTION: IBM Qradar SIEM does not preform proper certificate validation for some inter-host...
Security Bulletin: A buffer overread, security restrictions bypass, a use-after-free, and other vulnerabilities might affect IBM Storage Defender – Resiliency Service
Summary IBM Storage Defender – Resiliency Service is vulnerable to a buffer overread, security restrictions bypass, a use-after-free, and others. The vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2020-15945 DESCRIPTION: Lua 5.4.0 fixed in 5.4.1 has a segmentation fault in...
Security Bulletin: IBM DevOps Deploy / IBM UrbanCode Deploy (UCD) is susceptible to Insertion of Sensitive Information into Log File vulnerability (CVE-2025-1998)
Summary IBM DevOps Deploy / IBM UrbanCode Deploy UCD stores potentially sensitive authentication token information in log files that could be read by a local user. Vulnerability Details CVEID:CVE-2025-1998 DESCRIPTION: IBM UrbanCode Deploy UCD stores potentially sensitive authentication token...
Security Bulletin: IBM Match 360 vulnerable through IBM WebSphere Application Server Liberty being vulnerable to information disclosure (CVE-2023-50314)
Summary IBM Match 360 is vulnerable to information disclosure from IBM WebSphere Application Server Liberty. This is affecting IBM WebSphere Application Server Liberty versions 17.0.0.3 - 24.0.0.8. IBM WebSphere Application Server Liberty could allow an attacker with access to the network to...
Security Bulletin: IBM Match 360 is vulnerable to a denial of service from IBM WebSphere Application Server Liberty vulnerability found in Google Protocol Buffers (CVE-2024-7254)
Summary IBM Match 360 is vulnerable to a denial service from IBM WebSphere Application Server Liberty use of vulnerable Google Protocol Buffers. This affects IBM WebSphere Application Server Liberty 20.0.0.12 - 24.0.0.10 with the specified features enabled. Any project that parses untrusted...
Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to a denial of service due to Netty (CVE-2025-25193)
Summary There is a vulnerability in the Netty library used by IBM WebSphere Application Server Liberty with the grpc-1.0 or grpcClient-1.0 feature enabled. Vulnerability Details CVEID:CVE-2025-25193 DESCRIPTION: Netty, an asynchronous, event-driven network application framework, has a vulnerabili...
Security Bulletin: SHA-1 cipher suites detected in older versions of SPSS Statistics (CVE-2024-31896)
Summary The Statistics server supports SHA-1 cipher suites. SHA-1 was officially deprecated by NIST in 2011, but many applications still rely on it. Up until 2017, only theoretical attacks have been known against SHA-1, which is why many applications still rely on it. Recently, a practical attack...
Security Bulletin: Apache axis.jar is present in older Statistics releases that use IBM SPSS C&DS
Summary Apache Axis is vulnerable to server-side request forgery, caused by a improper input validation by the service admin HTTP API. By sending a specially crafted request, an attacker could exploit this vulnerability to conduct SSRF attack. Customers using IBM SPSS Statistics versions 26-29 wi...
Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to gcc, github.com/opencontainers/runc and github.com/containers/common (CVE-2024-45310, CVE-2020-11023, CVE-2024-9341)
Summary gcc, github.com/opencontainers/runc and github.com/containers/common used by IBM MQ Operator and Queue Manager container images are vulnerable by executing untrusted code using jQuery's DOM manipulation methods and bypassing security restrictions which might allow an attacker to access...
Security Bulletin: IBM Sterling Control Center is affected by JSON-java vulnerability (CVE-2022-45688)
Summary Vulnerability in JSON-java is impacting IBM Sterling Control Center v6.3.1 and v6.2.1. Customers must upgrade to latest patch below to address this vulnerability. Vulnerability Details CVEID:CVE-2022-45688 DESCRIPTION: Hutool is vulnerable to a denial of service, caused by stack-based...