35665 matches found
Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to an argument injection vulnerability in go-git [CVE-2025-21613]
Summary IBM Watson Speech Services Cartridge is vulnerable to an argument injection vulnerability in go-git, allowing the setting of arbitrary values to git-upload-pack flags when file transport protocol is used CVE-2025-21613. Go-git is used in our watson-speech-catalog images. This vulnerabilit...
Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a Server-Side Request Forgery in QOS.CH logback [CVE-2024-12801]
Summary IBM Watson Speech Services Cartridge is vulnerable to a Server-Side Request Forgery in QOS.CH logback, caused by a flaw in the SaxEventRecorder CVE-2024-12801. QOS.CH logback is used by our Speech Microservices. This vulnerabilitiy has been addressed. Please read the details for remediati...
Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a denial of service in logback-classic [CVE-2024-12798]
Summary IBM Watson Speech Services Cartridge is vulnerable to a denial of service in logback-classic, caused by a flaw in the JaninoEventEvaluator extension CVE-2024-12798. Logback-classic is used by our Speech Microservices. This vulnerabilitiy has been addressed. Please read the details for...
Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a denial of service in Spring Framework [CVE-2024-38809]
Summary IBM Watson Speech Services Cartridge is vulnerable to a denial of service in Spring Framework, caused by improper input validation CVE-2024-38809. Spring Framework is used by our Speech Microservices. This vulnerabilitiy has been addressed. Please read the details for remediation below...
Security Bulletin: IBM Cognos Analytics is affected by multiple vulnerabilities
Summary There are vulnerabilities in IBM WebSphere Application Server Liberty and Open-Source Software OSS components used by IBM Cognos Analytics. Additionally, IBM Cognos Analytics is vulnerable to Local File Inclusion vulnerabilities. For more information about the vulnerability impact, refer ...
Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a security weakness in Spring Framework [CVE-2024-38820]
Summary IBM Watson Speech Services Cartridge is vulnerable to a security weakness in Spring Framework, caused by a flaw related to disallowedFields patterns in DataBinder is case insensitive CVE-2024-38820. Spring Framework is used by our Speech Microservices. This vulnerabilitiy has been...
Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a security restrictions bypass in Spring Security [CVE-2024-38827]
Summary IBM Watson Speech Services Cartridge is vulnerable to a security restrictions bypass in Spring Security, caused by a locale dependent exceptions issue in the useage of String.toLowerCase and String.toUpperCase fimctopms CVE-2024-38827. VMware Tanzu Spring Security is used by our Speech...
Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a directory traversal in Spring Framework [CVE-2024-38819]
Summary IBM Watson Speech Services Cartridge is vulnerable to a directory traversal in Spring Framework, caused by improper validation of user request by the functional web frameworks WebMvc.fn or WebFlux.fn CVE-2024-38819. Spring Framework is used by our Speech Microservices. This vulnerabilitiy...
Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a TOCTOU Race Condition vulnerability in Apache Tomcat [CVE-2024-50379]
Summary IBM Watson Speech Services Cartridge is vulnerable to a Time-of-check Time-of-use TOCTOU Race Condition vulnerability in Apache Tomcat, caused by JSP compilation on case-insensitive file systems when the default servlet is enabled for writing CVE-2024-50379. Apache Tomcat is used by our...
Security Bulletin: IBM App Connect Enterprise is vulnerable to multiple vulnerabilities due to Node.js (CVE-2025-23085, CVE-2025-23084 & CVE-2025-22150)
Summary IBM App Connect Enterprise is vulnerable to multiple vulnerabilities due to Node.js. Vulnerability Details CVEID:CVE-2025-23085 DESCRIPTION: A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header wa...
Security Bulletin: IBM MQ is affected by multiple vulnerabilities in the IBM Semeru Runtime
Summary Multiple vulnerabilities were identified with IBM Semeru Runtime which is used in IBM MQ Explorer. Vulnerability Details CVEID:CVE-2024-21217 DESCRIPTION: Vulnerability in Java SE component: Serialization. Difficult to exploit vulnerability allows unauthenticated attacker with network...
Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a TOCTOU Race Condition vulnerability in Apache Tomcat [CVE-2024-56337]
Summary IBM Watson Speech Services Cartridge is vulnerable to a Time-of-check Time-of-use TOCTOU Race Condition vulnerability in Apache Tomcat, caused by JSP compilation on case-insensitive file systems when the default servlet is enabled for writing. CVE-2024-56337. Apache Tomcat is used by our...
Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a sensitive information exposure in urllib3 [CVE-2024-37891]
Summary IBM Watson Speech Services Cartridge is vulnerable to a sensitive information exposure in urllib3, caused by the failure to strip the Proxy-Authorization header during cross-origin redirects CVE-2024-37891. Urllib3 is used by our Speech Runtime images. This vulnerabilitiy has been...
Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a security restrictions bypass in Psf Requests [CVE-2024-35195]
Summary IBM Watson Speech Services Cartridge is vulnerable to a security restrictions bypass in Psf Requests, caused by an incorrect control flow implementation vulnerability CVE-2024-35195. Psf Requests is used by our Speech Runtime images. This vulnerabilitiy has been addressed. Please read the...
Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to cross-site scripting in Twisted [CVE-2024-41810]
Summary IBM Watson Speech Services Cartridge is vulnerable to cross-site scripting in Twisted, caused by improper validation of user-supplied input by the HTTP redirect body CVE-2024-41810. Twisted is used by our Speech Runtimes. This vulnerabilitiy has been addressed. Please read the details for...
Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a sensitive information exposure in Twisted [CVE-2024-41671]
Summary IBM Watson Speech Services Cartridge is vulnerable to a sensitive information exposure in Twisted, caused by a flaw in HTTP 1.0 and 1.1 server CVE-2024-41671. Twisted is used by our Speech Runtimes. This vulnerabilitiy has been addressed. Please read the details for remediation below...
Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to an arbitrary Python code execution in Jinja [CVE-2024-56326]
Summary IBM Watson Speech Services Cartridge is vulnerable to an arbitrary Python code execution in Jinja , caused by a sandbox breakout flaw CVE-2024-56326. Jinja is used by our Speech Runtimes. This vulnerabilitiy has been addressed. Please read the details for remediation below. Vulnerability...
Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a sensitive information exposure in PostgreSQL [CVE-2024-4317]
Summary IBM Watson Speech Services Cartridge is vulnerable to a sensitive information exposure, caused by missing authorization in PostgreSQL built-in views pgstatsext and pgstatsextexprs CVE-2024-4317. PostgreSQL is used by our Speech Utilities. This vulnerabilitiy has been addressed. Please rea...
Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a denial of service in Golang net [CVE-2024-45338]
Summary IBM Watson Speech Services Cartridge is vulnerable to a denial of service in Golang net, caused by slow non-linear processing in Parse functions CVE-2024-45338. Golang net is used by our Speech Utilities. This vulnerabilitiy has been addressed. Please read the details for remediation belo...
Security Bulletin: IBM Cognos Dashboards on Cloud Pak for Data has addressed security vulnerabilities
Summary There are vulnerabilities in Open-Source Software OSS components consumed by IBM Cognos Dashboards on Cloud Pak for Data. Please refer to the Related Information section below for vulnerability impact. This Security Bulletin relates only to the direct usage of third-party components by IB...
Security Bulletin:Vulnerability in Apache Druid affects watsonx.data
Summary Apache Druid could allow a remote attacker to bypass security restrictions. These could affect watsonx.data. Vulnerability Details CVEID:CVE-2024-45384 DESCRIPTION: Apache Druid could allow a remote attacker to bypass security restrictions, caused by a flaw in the druid-pac4j extension. B...
Security Bulletin:Vulnerabiilties in swagger-ui and Bootstrap affect watsonx.data
Summary swagger-ui is vulnerable to conduct spoofing attacks. Bootstrap is vulnerable to cross-site scripting. These could affect watsonx.data. Vulnerability Details CVEID:CVE-2018-25031 DESCRIPTION: swagger-ui could allow a remote attacker to conduct spoofing attacks. By persuading a victim to...
Security Bulletin: Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability affects watsonx.data
Summary Time-of-check Time-of-use TOCTOU Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write non-default configuration, which could affect watsonx.data. Vulnerability Details...
Security Bulletin: Vulnerability in Spring WebFlux affects watsonx.data
Summary Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances. This can affect watsonx.data. Vulnerability Details CVEID:CVE-2024-38821 DESCRIPTION: Spring WebFlux applications that have Spring Security...
Security Bulletin: Vulnerabilities in Apache Tomcat affect watsonx.data
Summary Apache Tomcat is vulnerable to an unchecked error condition attack and to incorrect object re-cycling and re-use attack. These can affect watsonx.data. Vulnerability Details CVEID:CVE-2024-52316 DESCRIPTION: Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured...
Security Bulletin: Vulnerability in Psf Requests affects watsonx.data
Summary Psf Requests is vulnerable to bypass security restrictions, which could affect watsonx.data. Vulnerability Details CVEID:CVE-2024-52798 DESCRIPTION: path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be...
Security Bulletin: Vulnerability in Apache Lucene affects watsonx.data
Summary Apache Lucene is vulnerable to a denial of service attack and could affect watsonx.data. Vulnerability Details IBM X-Force ID: 216835 DESCRIPTION: Apache Lucene is vulnerable to a denial of service. By sending a specific regular expression query, a remote attacker could exploit this...
Security Bulletin: Vulnerability in Cross-Spawn affects watsonx.data
Summary Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service ReDoS . This can affect watsonx.data. Vulnerability Details CVEID:CVE-2024-21538 DESCRIPTION: Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denia...
Security Bulletin: Vulnerability in Flask-Cors affects IBM Cloud Pak for Data System 2.0 (CPDS 2.0) [CVE-2024-6221]
Summary The Flask-Cors package is used by IBM Cloud Pak for Data System 2.0 . IBM Cloud Pak for Data System 2.0 has addressed the applicable CVEs CVE-2024-6221. Vulnerability Details CVEID:CVE-2024-6221 DESCRIPTION: Flask-CORS could allow a remote attacker to obtain sensitive information, caused ...
Security Bulletin: Vulnerability in paramiko affects IBM Cloud Pak for Data System 2.0 (CPDS 2.0) [CVE-2023-48795]
Summary The paramiko package is used by IBM Cloud Pak for Data System 2.0 . IBM Cloud Pak for Data System 2.0 has addressed the applicable CVEs CVE-2023-48795. Vulnerability Details CVEID:CVE-2023-48795 DESCRIPTION: The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH befo...
Security Bulletin: Vulnerability in Werkzeug affects IBM Cloud Pak for Data System 2.0 (CPDS 2.0) [ CVE-2023-46136]
Summary The Werkzeug package is used by IBM Cloud Pak for Data System 2.0 . IBM Cloud Pak for Data System 2.0 has addressed the applicable CVE CVE-2023-46136 Vulnerability Details CVEID:CVE-2023-46136 DESCRIPTION: Pallets Werkzeug is vulnerable to a denial of service, caused by a flaw when parsin...
Security Bulletin: Vulnerabilities in VMware Tanzu Spring Framework affect watsonx.data
Summary VMware Tanzu Spring Framework is vulnerable to a denial of service attacks and this could affect watsonx.data. Vulnerability Details CVEID:CVE-2022-22950 DESCRIPTION: VMware Tanzu Spring Framework is vulnerable to a denial of service, caused by improper input validation. By sending a...
Security Bulletin: Vulnerability in tornado affects IBM Cloud Pak for Data System 2.0 (CPDS 2.0)[CVE-2023-28370]
Summary The tornado package is used by IBM Cloud Pak for Data System 2.0 . IBM Cloud Pak for Data System 2.0 has addressed the applicable CVEsCVE-2023-28370 Vulnerability Details CVEID:CVE-2023-28370 DESCRIPTION: Tornado could allow a remote attacker to conduct phishing attacks, caused by an open...
Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager (CVE-2024-21235, CVE-2024-21217, CVE-2024-21210, CVE-2024-21208, CVE-2024-10917)
Summary There are multiple vulnerabilities in IBM SDK Java Technology Edition used by IBM Tivoli System Automation Application Manager. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions Affected Products| Versions ---|---...
Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms Oct 2024 CPU (CVE-2024-21235, CVE-2024-21217, CVE-2024-21210, CVE-2024-21208, CVE-2024-10917)
Summary There are multiple vulnerabilities in IBM SDK Java Technology Edition, Version 8 used by 4.1.0.4 to 4.1.1.1 of IBM Tivoli System Automation for Multiplatforms. These issues were disclosed as part of the IBM Java SDK updates in Oct 2024. Vulnerability Details Refer to the security bulletin...
Security Bulletin: IBM Observability with Instana (OnPrem) is affected by multiple security vulnerabilities
Summary Multiple vulnerabilities were remediated in IBM Observability with Instana OnPrem build 1.0.289 Vulnerability Details CVEID:CVE-2023-45283 DESCRIPTION: Golang Go could allow a remote attacker to traverse directories on the system, caused by the failure to recognize paths with a ??\ prefix...
Security Bulletin: IBM Observability with Instana is vulnerable to Authorization bypass in golang.org/x/crypto
Summary golang.org/x/crypto is used by IBM Instana Observability as part of the instana-agent-operator CVE-2024-45337. This bulletin identifies the steps to take to address the vulnerability. Vulnerability Details CVEID:CVE-2024-45337 DESCRIPTION: Applications and libraries which misuse...
Security Bulletin: Apache Derby vulnerability addressed in IBM JRS (Jazz Reporting Service) [CVE-2022-46337]
Summary Apache Derby might allow a remote attacker to bypass security restrictions caused by an LDAP injection vulnerability in the authenticator. This vulnerability affects IBM Jazz Reporting Service. This bulletin identifies the steps to take to mitigate the vulnerability. Vulnerability Details...
Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to PAM, go-git and Golang.org/X/Crypto
Summary PAM, go-git, Golang.org/X/Crypto and IBM MQ used by IBM MQ Operator and Queue Manager container images are vulnerable to denial of service due to improper memory allocation, spoofing attacks, and providing weaker than expected security which might allow an attacker to execute arbitrary co...
Security Bulletin: IBM Maximo Application Suite - Monitor Component is vulnerable to werkzeug-3.0.4-py3-none-any.whl CVE-2024-49766
Summary IBM Maximo Application Suite - Monitor Component is vulnerable to werkzeug-3.0.4-py3-none-any.whl CVE-2024-49766. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2024-49766 DESCRIPTION: Werkzeug is a Web Server Gateway Interface w...
Security Bulletin: IBM Event Processing is vulnerable to Regular Expression Denial of Service (ReDoS) due to the cross-spawn package (CVE-2024-21538).
Summary Operator of IBM Event Processing is vulnerable to Regular Expression Denial of Service ReDoS due to the usage of cross-spawn package. The cross-spawn npm package is a cross-platform solution for spawning child processes in Node.js. Vulnerability Details CVEID:CVE-2024-21538 DESCRIPTION:...
Security Bulletin: IBM Event Endpoint Management is vulnerable to a Directory Traversal (or path traversal) attack (CVE-2024-21540).
Summary Operator of IBM Event Endpoint Management is vulnerable to a Directory Traversal or path traversal attack due to the source-map-support library. It helps to show original source code in error stack traces for better debugging. Vulnerability Details CVEID:CVE-2024-21540 DESCRIPTION: All...
Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in follow-redirects
Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of follow-redirects Vulnerability Details CVEID:CVE-2024-28849 DESCRIPTION: Node.js follow-redirects module could allow a remote authenticated attacker to obtain sensitive information, caused by the leakage of credentials whe...
Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in Bouncy Castle Crypto Package For Java
Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of Bouncy Castle Crypto Package For Java Vulnerability Details CVEID:CVE-2024-30171 DESCRIPTION: The Bouncy Castle Crypto Package For Java could allow a remote authenticated attacker to obtain sensitive information, caused by...
Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in moby: classic builder cache poisoning
Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of moby: classic builder cache poisoning Vulnerability Details CVEID:CVE-2024-24557 DESCRIPTION: Moby could provide weaker than expected security, caused by improper cache validation in the classic builder cache system. By...
Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in Bouncy Castle Crypto Package For Java
Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of Bouncy Castle Crypto Package For Java Vulnerability Details CVEID:CVE-2024-30172 DESCRIPTION: The Bouncy Castle Crypto Package For Java is vulnerable to a denial of service, caused by an infinite loop in the Ed25519...
Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in zipp
Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of zipp. Vulnerability Details CVEID:CVE-2024-5569 DESCRIPTION: zipp is vulnerable to a denial of service, caused by an infinite loop flaw in the Path module. By using a specially crafted zip file, a local attacker could...
Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in urllib3
Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of urllib3. Vulnerability Details CVEID:CVE-2024-37891 DESCRIPTION: urllib3 could allow a remote authenticated attacker to obtain sensitive information, caused by the failure to strip the Proxy-Authorization header during...
Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in aiohttp
Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of aiohttp Vulnerability Details CVEID:CVE-2024-27306 DESCRIPTION: aio-libs aiohttp is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerabili...
Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in sanitize-html
Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of sanitize-html. Vulnerability Details CVEID:CVE-2024-21501 DESCRIPTION: Node.js sanitize-html module could allow a remote attacker to obtain sensitive information, caused by an error when used on the backend and with the...