35665 matches found
Security Bulletin: Due to the use of VMWare Tanzu Spring Framework, IBM DevOps Build is vulnerable to remote attacker to conduct phising attacks
Summary IBM DevOps Build 7.0.0.2 addresses CVE-2024-22259 by updating spring-web jar.. Vulnerability Details CVEID:CVE-2024-22259 DESCRIPTION: Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL e.g. through a query parameter AND perform validation...
Security Bulletin: Multiple Vulnerabilities in IBM Event Streams
Summary Multiple vulnerabilities were addressed in IBM Event Streams version 11.5.1. Vulnerability Details CVEID:CVE-2023-0466 DESCRIPTION: OpenSSL could allow a remote attacker to bypass security restrictions, caused by a flaw in the X509VERIFYPARAMadd0policy function. By using invalid certifica...
Security Bulletin: IBM Cloud Pak for Data is vulnerable due to github.com/golang/net ( CVE-2023-3978, CVE-2023-45288 )
Summary github.com/golang/net is used by IBM Cloud Pak for Data as part of the platform. CVE-2023-3978, CVE-2023-45288. Vulnerability Details CVEID:CVE-2023-3978 DESCRIPTION: Golang html package is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote...
Security Bulletin: Information disclosure vulnerability affects IBM Business Automation Workflow - CVE-2024-38321
Summary IBM Business Automation Workflow is vulnerable to an information disclosure attack. Vulnerability Details CVEID:CVE-2024-38321 DESCRIPTION: IBM Business Automation Workflow 22.0.2, 23.0.1, 23.0.2, and 24.0.0 stores potentially sensitive information in log files under certain situations th...
Security Bulletin: IBM Planning Analytics Cartridge for IBM Cloud Pak for Data is affected but not considered vulnerable to CVE-2023-45288
Summary IBM Planning Analytics Cartridge for IBM Cloud Pak for Data is affected but not considered vulnerable, based on current information, to CVE-2023-45288 in Golang Go used by the IBM Planning Analytics Engine. This has been resolved by upgrading Golang Go to a non-vulnerable version. This...
Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a denial of service, in Golang Go [CVE-2023-45288]
Summary Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a denial of service, in Golang Go, caused by a memory exhaustion flaw due to flood of CONTINUATION frames in the HTTP/2 protocol stack in the net/http and x/net/http2 packagesCVE-2023-45288...
Security Bulletin: IBM InfoSphere Information Server is vulnerable due to improper error handling (CVE-2024-39751)
Summary A vulnerability related to improper error handling in InfoSphere Information Server was addressed. Vulnerability Details CVEID:CVE-2024-39751 DESCRIPTION: IBM InfoSphere Information Server could allow a remote attacker to obtain sensitive information when a detailed technical error messag...
Security Bulletin: IBM Tivoli Netcool/OMNIbus Transport Module Common Integration Library is affected by vulnerability in Netty (CVE-2024-29025)
Summary Netty is used by IBM Tivoli Netcool/OMNIbus Transport Module Common Integration Library. CVE-2024-29025 The below vulnerability have been addressed. Vulnerability Details CVEID:CVE-2024-29025 DESCRIPTION: Netty is an asynchronous event-driven network application framework for rapid...
Security Bulletin: IBM Event Streams is vulnerable to a denial of service attack due to the Eclipse Vert.x component (CVE-2024-1023,CVE-2024-1300).
Summary IBM Event Streams is vulnerable to a denial of service attack due to the Vert.x component.It is a toolkit for writing reactive, non-blocking, asynchronous applications that run on the JVM Java Virtual Machine and it provides a non-prescriptive and flexible way to write efficient,...
Security Bulletin: Recommended mitigation for SSH "Terrapin" vulnerability in IBM SAN Volume Controller, IBM Storwize, IBM Storage Virtualize and IBM FlashSystem products
Summary The SSH "Terrapin" vulnerability affects IBM SAN Volume Controller, IBM Storwize, IBM Storage Virtualize and IBM FlashSystem products when using the [email protected] cipher. This cipher can be disabled with a chsecurity command to fix the vulnerability. Vulnerability Details...
Security Bulletin: Multiple Vulnerabilities in IBM CloudPak for AIOps
Summary Multiple vulnerabilities were addressed in IBM Cloud Pak for AIOps version 4.6.1 Vulnerability Details CVEID:CVE-2024-32465 DESCRIPTION: Git could allow a physical attacker to bypass security restrictions, caused by a directory traversal flaw. By sending a specially crafted request, an...
Security Bulletin: IBM App Connect Enterprise Certified Container IntegrationServer and IntegrationRuntime operands that run Designer Flows containing event nodes are vulnerable to loss of confidentiality [CVE-2024-38372]
Summary Node.js undici module is used by IBM App Connect Enterprise Certified Container for HTTP calls. IBM App Connect Enterprise Certified Container IntegrationServer and IntegrationRuntime operands that run Designer flows that contain event nodes are vulnerable to loss of confidentiality. This...
Security Bulletin: Vulnerabilites in the IBM WebSphere Application Server Liberty version 17.0.0.3 - 24.0.0.5 affects Watson Machine Learning Accelerator on Cloud Pak for Data
Summary Vulnerabilites in the IBM WebSphere Application Server Liberty version 17.0.0.3 - 24.0.0.5 affects Watson Machine Learning Accelerator on Cloud Pak for Data several releases. It has be fixed in Watson Machine Learning Accelerator on Cloud Pak for Data 5.0.1 release. Vulnerability Details...
Security Bulletin: Business Automation Manager Open Editions 8.0.5 - jgit vulnerability
Summary Business Automation Manager Open Editions in version 8.0.5 contains a vulnerability in jgit library, that is used as part of the release. For more information, please see the vulnerability description in the Vulnerability Details section. Vulnerability Details CVEID:CVE-2023-4759...
Security Bulletin: IBM InfoSphere Information Server is affected by a vulnerability in Apache Maven (CVE-2021-26291)
Summary A vulnerability in Apache Maven that is used by InfoSphere Information Server was addressed. Vulnerability Details CVEID:CVE-2021-26291 DESCRIPTION: Apache Maven could allow a remote attacker to bypass security restrictions, caused by the use of http non-SSL repository references by...
Security Bulletin: IBM i is vulnerable to bypassing Navigator for i interface restrictions and a server-side request forgery [CVE-2024-51463, CVE-2024-51464].
Summary IBM i is vulnerable to bypassing IBM Navigator for i interface restrictions and a server-side request forgery SSRF as described in the vulnerability details section. This bulletin identifies the steps to take to address the vulnerabilities as described in the remediation/fixes section...
Security Bulletin: IBM i is vulnerable to an authenticated user gaining elevated privilege to a physical file [CVE-2024-47104].
Summary IBM i is vulnerable to an authenticated user gaining elevated privilege to a physical file by altering based-on file attributes as described in the vulnerability details section. This bulletin identifies the steps to take to address the vulnerability as described in the remediation/fixes...
Security Bulletin: IBM i is vulnerable to a file level denial of service due to an insufficient authority requirement. [CVE-2024-35122]
Summary IBM i is vulnerable to a file level local denial of service caused by an insufficient authority requirement as described in the vulnerability details section. This bulletin identifies the steps to take to address the vulnerability as described in the remediation/fixes section below...
Security Bulletin: A Security Vulnerability was discovered in IBM Semeru Runtime Certified Edition provided with IBM Security Verify Directory (CVE-2023-33850)
Summary A Security Vulnerability was addressed in IBM Semeru Runtime Certified Edition provided with IBM Security Verify Directory. Vulnerability Details CVEID:CVE-2023-33850 DESCRIPTION: IBM GSKit-Crypto could allow a remote attacker to obtain sensitive information, caused by a timing-based side...
Security Bulletin: A Security Vulnerability was discovered in IBM Runtime Environment, Java Technology Edition provided with IBM Security Directory Suite (CVE-2023-33850)
Summary A Security Vulnerability was addressed in IBM Semeru Runtime Certified Edition provided with IBM Security Verify Directory and IBM Runtime Environment, Java Technology Edition provided with IBM Security Directory Suite. Vulnerability Details CVEID:CVE-2023-33850 DESCRIPTION: IBM...
Security Bulletin: IBM Financial Transaction Manager for SWIFT Services for Multiplatforms is vulnerable to cross-site scripting.
Summary IBM Financial Transaction Manager for SWIFT Services for Multiplatforms is vulnerable to cross-site scripting CVE-2024-49349. Vulnerability Details CVEID:CVE-2024-49349 DESCRIPTION: IBM Financial Transaction Manager for SWIFT Services is vulnerable to cross-site scripting. This...
Security Bulletin: Cross-site scripting vulnerability in IBM Financial Transaction Manager for SWIFT Services
Summary Cross-site scripting vulnerability in IBM Financial Transaction Manager for SWIFT Services Vulnerability Details CVEID:CVE-2024-49339 DESCRIPTION: IBM Financial Transaction Manager is vulnerable to stored cross-site scripting. This vulnerability allows authenticated users to embed arbitra...
Security Bulletin: IBM Sterling Connect:Direct Web Service is vulnerable to multiple vulnerabilities due to IBM Java
Summary IBM Sterling Connect:Direct Web Service uses IBM Java SE. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2024-21235 DESCRIPTION: Vulnerability in Java SE component: Hotspot. Difficult to exploit vulnerability allows unauthenticat...
Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a security restrictions bypass in Golang Go [CVE-2024-24789]
Summary IBM Watson Speech Services Cartridge is vulnerable to a security restrictions bypass in Golang Go, caused by a flaw with EOCDR comment length handling is inconsistent with other ZIP implementations in the archive/zip package CVE-2024-24789. Golang Go is included as part of the speech...
Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a security restrictions bypass in Kubernetes kubelet [CVE-2024-5321]
Summary IBM Watson Speech Services Cartridge is vulnerable to a security restrictions bypass in Kubernetes kubelet, caused by incorrect permissions on Windows containers logs CVE-2024-5321. Kubernetes is included as part of the speech utilities used in our product. This vulnerabilitiy has been...
Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to an arbitrary code execution in libexpat [CVE-2024-45492]
Summary IBM Watson Speech Services Cartridge is vulnerable to an arbitrary code execution in libexpat, caused by an integer overflow in the nextScaffoldPart function in xmlparse.c CVE-2024-45492. libexpat is used by our Speech Service runtimes. This vulnerabilitiy has been addressed. Please read...
Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a denial of service in OpenSSL [CVE-2024-6119]
Summary IBM Watson Speech Services Cartridge is vulnerable to a denial of service in OpenSSL, caused by an error when performing certificate name checks CVE-2024-6119. OpenSSL is used by our Speech Service runtimes. This vulnerabilitiy has been addressed. Please read the details for remediation...
Security Bulletin: Security Vulnerability in protobuf-java Affects the B2B API of IBM Sterling B2B Integrator (CVE-2024-7254)
Summary IBM Sterling B2B Integrator has addressed the security vulnerability in protobuf-java Vulnerability Details CVEID:CVE-2024-7254 DESCRIPTION: Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by...
Security Bulletin: The Dashboard of IBM Sterling B2B Integrator is Vulnerable to Denial of Service Due to Prototype (CVE-2020-27511)
Summary IBM Sterling B2B Integrator has addressed the denial of service security vulnerability Vulnerability Details CVEID:CVE-2020-27511 DESCRIPTION: Prototype is vulnerable to a denial of service, caused by a regular expression denial of service ReDOS flaw in the stripTags and unescapeHTML...
Security Bulletin: IBM Sterling B2B Integrator is Vulnerable to Denial of Service due to Apache Kafka (CVE-2022-34917)
Summary IBM Sterling B2B Integrator has addressed the denail of service vulnerability from Apache Kafka Vulnerability Details CVEID:CVE-2022-34917 DESCRIPTION: Apache Kafka is vulnerable to a denial of service, caused by improper input validation. By sending a specially-crafted request, a remote...
Security Bulletin: The B2B API of IBM Sterling B2B Integrator is Vulnerable to Denial of Service due to Snappy (CVE-2024-36124)
Summary IBM Sterling B2B Integrator has addressed the denial of service vulnerablity from Snappy Vulnerability Details CVEID:CVE-2024-36124 DESCRIPTION: Snappy is vulnerable to a denial of service, caused by an out-of-bounds read flaw when uncompressing data. By sending a specially crafted reques...
Security Bulletin: Vulnerability in DasterXML Jackson Core affect watsonx.data
Summary FasterXML Jackson Core is vulnerable to a denial of service attack which could impact watsonx.data Vulnerability Details IBM X-Force ID: 256137 DESCRIPTION: FasterXML Jackson Core is vulnerable to a denial of service, caused by improper input validation by the StreamReadConstraints value...
Security Bulletin: Multiple security vulnerabilities are addressed with IBM Process Mining Interim Fix for Jan 2025
Summary In addition to many updates of operating system level packages, the following security vulnerabilities are addressed with IBM Process Mining 2.0.0 IF001 Vulnerability Details CVEID:CVE-2024-43796 DESCRIPTION: expressjs express is vulnerable to cross-site scripting, caused by improper...
Security Bulletin: Vulnerability in VMware Tanzu Spring Framework affects watsonx.data
Summary VMware Tanzu Spring Framework is vulnerable to a denial of service attack, which could affect watsonx.data. Vulnerability Details CVEID:CVE-2024-38809 DESCRIPTION: VMware Tanzu Spring Framework is vulnerable to a denial of service, caused by improper input validation. By sending a special...
Security Bulletin: Vulnerability in GNU Wget affects watsonx.data
Summary GNU Wget could allow a remote authenticated attacker to bypass security restrictions, and this could affect watsonx.data. Vulnerability Details CVEID:CVE-2024-38428 DESCRIPTION: GNU Wget could allow a remote authenticated attacker to bypass security restrictions, caused by the mishandling...
Security Bulletin: Vulnerability in Microsoft Azure Identity Libraries and Microsoft Authentication Library affects watsonx.data
Summary Microsoft Azure Identity Libraries and Microsoft Authentication Library is vulnerable to elevation of privileges attacks. This could affect watsonx.data. Vulnerability Details CVEID:CVE-2024-35255 DESCRIPTION: Microsoft Azure Identity Libraries and Microsoft Authentication Library could...
Security Bulletin: Vulnerability in jshttp cookie affects watsonx.data
Summary jshttp cookie could allow a remote attacker to bypass security restrictions, and this could affect watsonx.data. Vulnerability Details CVEID:CVE-2024-47764 DESCRIPTION: jshttp cookie could allow a remote attacker to bypass security restrictions, caused by improper input validation by the...
Security Bulletin: Vulnerability in Apache Commons IO affects watsonx.data
Summary Apache Commons IO is vulnerable to a denial of service attack. This could affect watsonx.data. Vulnerability Details CVEID:CVE-2024-47554 DESCRIPTION: Apache Commons IO is vulnerable to a denial of service, caused by an uncontrolled resource consumption flaw in the...
Security Bulletin: Vulnerability in Apache commons-compress affects watsonx.data
Summary Apache Commons Compress is vulnerable to a denial of service attack and this could affect watsonx.data. Vulnerability Details CVEID:CVE-2024-25710 DESCRIPTION: Apache Commons Compress is vulnerable to a denial of service, caused by an infinite loop flaw. By persuading a victim to open a...
Security Bulletin: Vulnerability in path-to-regexp affects watsonx.data
Summary path-to-regexp is vulnerable to denial of service attacks. This could affect watsonx.data. Vulnerability Details CVEID:CVE-2024-45296 DESCRIPTION: path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be...
Security Bulletin: The B2B API of IBM Sterling B2B Integrator is Vulnerable to Denial of Service (CVE-2024-32007)
Summary IBM Sterling B2B Integrator has addressed the denial of service vulnerability Vulnerability Details CVEID:CVE-2024-32007 DESCRIPTION: Apache CXF is vulnerable to a denial of service, caused by improper input validation by the p2c parameter. By sending a specially crafted request, a remote...
Security Bulletin: Vulnerability in go-retryablehttp affects watsonx.data
Summary go-retryablehttp could allow a local authenticated attacker to obtain sensitive information. This could affect watsonx.data. Vulnerability Details CVEID:CVE-2024-6104 DESCRIPTION: go-retryablehttp could allow a local authenticated attacker to obtain sensitive information, caused by the...
Security Bulletin: Vulnerability in VMware Tanzu Spring Framework affects watsonx.data
Summary VMware Tanzu Spring Framework is vulnerable to a denial of service attack and this could affect watsonx.data. Vulnerability Details CVEID:CVE-2024-38808 DESCRIPTION: VMware Tanzu Spring Framework is vulnerable to a denial of service, caused by improper input validation. By sending a...
Security Bulletin: IBM Sterling B2B Integrator is Vulnerable to Denial of Service (CVE-2024-31919, CVE-2024-35116)
Summary IBM Sterling B2B Integrator has addressed the denial of service vulnerability Vulnerability Details CVEID:CVE-2024-31919 DESCRIPTION: IBM MQ 9.0 LTS, 9.1 LTS, 9.2 LTS, 9.3 LTS and 9.3 CD, in certain configurations, is vulnerable to a denial of service attack caused by an error processing...
Security Bulletin: Vulnerability in Elasticsearch affects watsonx.data
Summary Elastic Elasticsearch could allow a remote authenticated attacker to obtain sensitive information. This could affect watsonx.data. Vulnerability Details CVEID:CVE-2024-23444 DESCRIPTION: Elastic Elasticsearch could allow a remote authenticated attacker to obtain sensitive information,...
Security Bulletin: Vulnerabiity in pillarjs send affects watsonx.data
Summary pillarjs send is vulnerable to cross-site scripting, and this could affect watsonx.data. Vulnerability Details CVEID:CVE-2024-43799 DESCRIPTION: pillarjs send is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this...
Security Bulletin: Vulnerability in urllib3 affects watsonx.data
Summary urllib3 could allow a remote authenticated attacker to obtain sensitive information. This could affect watsonx.data. Vulnerability Details CVEID:CVE-2024-37891 DESCRIPTION: urllib3 could allow a remote authenticated attacker to obtain sensitive information, caused by the failure to strip...
Security Bulletin: Vulnerability in Eclipse EE4J Jakarta Expression Language affects watsonx.data
Summary Eclipse EE4J Jakarta Expression Language is vulnerable to bypass security restrictions attacks. This could affect watsonx.data. Vulnerability Details CVEID:CVE-2021-28170 DESCRIPTION: Eclipse EE4J Jakarta Expression Language could allow a remote attacker to bypass security restrictions,...
Security Bulletin: Vulnerability in Express.js affects watsonx.data
Summary Express.js Express is vulnerable to conduct phishing attacks. This could affect watsonx.data. Vulnerability Details CVEID:CVE-2024-29041 DESCRIPTION: Express.js Express could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability. An attacker could...
Security Bulletin: IBM QRadar SIEM protocols are vulnerable to information exposure and denial of service (CVE-2021-29425)
Summary Apache Commons IO could allow a remote attacker to traverse directories on the system, caused by improper input validation in the FileNameUtils.normalize method. Vulnerability Details CVEID:CVE-2021-29425 DESCRIPTION: Apache Commons IO could allow a remote attacker to traverse directories...