Security Bulletin: Due to the use of Apache tomcat, IBM webMethods Integration is affected by some vulnerabilities

Summary Vulnerabilities due to Apache tomcat have been addressed in IBM webMethods Integration. Vulnerability Details CVEID:CVE-2025-55754 DESCRIPTION: Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. Tomcat did not escape ANSI escape sequences in log...

Security Bulletin: Security vulnerability affect IBM Business Automation Workflow - CVE-2025-52999

Summary IBM Business Automation Workflow Case documentation in before 25.0.0 built upon a version of DITA, which packages a vulnerable copy of jackson-core. Vulnerability Details CVEID:CVE-2025-52999 DESCRIPTION: jackson-core contains core low-level incremental "streaming" parser and generator...

Security Bulletin: A security vulnerability has been identified in WebSphere Application Server and Websphere Application Server Liberty shipped with IBM Guardium Key Lifecycle Manager (GKLM)

Summary WebSphere Application Server and Websphere Application Server Liberty is shipped as a component of IBM Guardium Key Lifecycle Manager GKLM. Information about a security vulnerability affecting WebSphere Application Server and Websphere Application Server Liberty has been published in a...

Security Bulletin: Security vulnerability has been found in IBM Application Gateway

Summary Security vulnerability has been addressed in IBM Application Gateway. Vulnerability Details CVEID:CVE-2023-52425 DESCRIPTION: libexpat through 2.5.0 allows a denial of service resource consumption because many full reparsings are required in the case of a large token for which multiple...

Security Bulletin: Due to use of Redhat Linux, IBM QRadar Network Packet Capture is vulnerable to a buffer overflow

Summary IBM QRadar Network Packet Capture is bundled with Redhat Linux 8.10. A buffer overflow vulnerability has been addressed CVE-2024-52533 Vulnerability Details CVEID:CVE-2024-52533 DESCRIPTION: gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-one error and resultant buffer...

Security Bulletin: IBM Storage Insights is vulnerable to weakness related to Apache Commons Lang

Summary Vulnerabilities in Apache Commons Lang may affect IBM Storage Insights which could allow uncontrolled recursion. Vulnerability Details CVEID:CVE-2025-48924 DESCRIPTION: Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with...

Security Bulletin: IBM InfoSphere Information Server is potentially vulnerable to XML External Entity Injection (XXE)

Summary An XML External Entity Injection XXE vulnerability in InfoSphere Information Server Manager can potentially be used by an attacker to retrieve sensitive documents. Information Server Manager has a bulk import feature to help users import lists of Source Control Module SCM websites or user...

Security Bulletin: IBM Sterling B2B Integrator and IBM Sterling File Gateway are Vulnerable to Cross-Site Scripting (CVE-2025-36135)

Summary IBM Sterling B2B Integrator and IBM Sterling File Gateway have addressed the cross-site scripting vulnerability Vulnerability Details CVEID:CVE-2025-36135 DESCRIPTION: IBM Sterling B2B Integrator is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to emb...

Security Bulletin: IBM QRadar SIEM is affected by cross-site scripting (CVE-2025-36170, CVE-2025-36138)

Summary IBM QRadar SIEM is affected by cross-site scripting . IBM has addressed the issue in the latest update. Vulnerability Details CVEID:CVE-2025-36170 DESCRIPTION: IBM QRadar is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary...

Security Bulletin: Multiple Vulnerabilities in IBM API Connect

Summary Multiple vulnerabilities were addressed in IBM API Connect version 10.0.8.5 Vulnerability Details CVEID:CVE-2020-36732 DESCRIPTION: The crypto-js package before 3.2.1 for Node.js generates random numbers by concatenating the string "0." with an integer, which makes the output more...

Security Bulletin: Multiple vulnerabilities in IBM QRadar SIEM

Summary Multiple vulnerabilities were addressed in IBM QRadar SIEM version 7.5.0 UP14 IF01 Vulnerability Details CVEID:CVE-2025-38527 DESCRIPTION: In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free in cifsoplockbreak A race condition can occur in...

Security Bulletin: IBM InfoSphere Information Server is affected by an XML external entity injection (XXE) vulnerability (CVE-2025-12531)

Summary An XML external entity injection XXE vulnerability in IBM InfoSphere Information Server was addressed. Vulnerability Details CVEID:CVE-2025-12531 DESCRIPTION: IBM InfoSphere Information Server is vulnerable to an XML external entity injection XXE attack when processing XML data. A remote...

Security Bulletin: IBM QRadar SIEM protocol is affected by an Elevation of Privilege in the Azure SDK for Java.

Summary Azure SDK for Java may allow privilege escalation under certain conditions; IBM QRadar SIEM has addressed the applicable CVE. Vulnerability Details CVEID:CVE-2020-16971 DESCRIPTION: Azure SDK for Java Security Feature Bypass Vulnerability CVSS Source: NVD CVSS Base score: 9.1 CVSS...

Security Bulletin: IBM webMethods BPM is affected by multiple vulnerabilities

Summary Vulnerabilities due to Apache tomcat have been addressed in IBM webMethods BPM. Vulnerability Details CVEID:CVE-2025-52520 DESCRIPTION: For some unlikely configurations of multipart upload, an Integer Overflow vulnerability in Apache Tomcat could lead to a DoS via bypassing of size limits...

Security Bulletin: IBM QRadar SIEM is affected by improper storage of credentials in configuration files

Summary IBM QRadar SIEM is affected by improper storage of credentials in configuration files in source control. IBM has addressed the issue in the latest update. Vulnerability Details CVEID:CVE-2025-33119 DESCRIPTION: IBM QRadar SIEM stores user credentials in configuration files in source contr...

Security Bulletin: IBM Tivoli Application Dependency Discovery Manager is vulnerable due to IBM WebSphere Application Server Liberty, which is bundled with IBM Enterprise Application Runtimes, is affected by a denial of service .

Summary IBM Tivoli Application Dependency Discovery Manager is exposed to multiple vulnerabilities because it uses IBM WebSphere Application Server Liberty which have multiple vulnerabilities CVE-2025-36000, CVE-2025-36047, CVE-2024-56339 Vulnerability Details CVEID:CVE-2025-36000 DESCRIPTION: IB...

Security Bulletin: IBM Sterling Partner Engagement Manager is vulnerable to quartz-jobs 2.3.2 and below was discovered to contain a code injection vulnerability in the component.

Summary Security Bulletin: IBM Sterling Partner Engagement Manager is vulnerable to quartz-jobs 2.3.2 and below was discovered to contain a code injection vulnerability in the component. Vulnerability Details CVEID:CVE-2022-42004 DESCRIPTION: FasterXML jackson-databind is vulnerable to a denial o...

Security Bulletin: Due to use of jetty-server IBM webMethods BPM is vulnerable to corrupted and/or inadvertent sharing of data between requests

Summary IBM webMethods BPM is using jetty-server which is affected by a known vulnerability CVE-2024-13009. This security bulletin provides guidance on addressing the vulnerability. Vulnerability Details CVEID:CVE-2024-13009 DESCRIPTION: In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be...

Security Bulletin: Multiple Vulnerabilities in IBM watsonx Code Assistant On Prem

Summary Multiple vulnerabilities were addressed in IBM watsonx Code Assistant On Prem V5.2.2 Vulnerability Details CVEID:CVE-2024-55459 DESCRIPTION: An issue in keras 3.7.0 allows attackers to write arbitrary files to the user's machine via downloading a crafted tar file through the getfile...

Security Bulletin: IBM Instana Observability is affected by multiple vulnerabilities within Instana Agent container image

Summary Multiple vulnerabilities were remediated in IBM Observability with Instana within Instana Agent container image build 1.0.308 Vulnerability Details CVEID:CVE-2025-32990 DESCRIPTION: A heap-buffer-overflow off-by-one flaw was found in the GnuTLS software in the template parsing logic withi...

Security Bulletin: IBM Tivoli Composite Application Manager for Application Diagnostics installed IBM WebSphere Application Server and WebSphere Application Server Liberty and are affcted by affected by SMTP injection due to Jakarta Mail.

Summary The security issue described in CVE-2025-7962 has been identified in the WebSphere Application Server included as part of IBM Tivoli Composite Application Manager for Application Diagnostics. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section...

Security Bulletin: IBM WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager is vulnerable to SMTP injection due to Jakarta Mail (CVE-2025-7962)

Summary A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions Affected Products|...

Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in python3-setuptools python3-setuptools-wheel setuptools

Summary Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in python3-setuptools python3-setuptools-wheel setuptools Vulnerability Details CVEID:CVE-2025-47273 DESCRIPTION: setuptools is a package that allows users to download, build, install, upgrade, and...

Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in brace-expansion nodejs nodejs-docs nodejs-full-i18n npm

Summary Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in brace-expansion nodejs nodejs-docs nodejs-full-i18n npm Vulnerability Details CVEID:CVE-2025-5889 DESCRIPTION: A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0...

Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in torch-2.6.0-cp313-cp313-manylinux1_x86_64.whl

Summary Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in torch-2.6.0-cp313-cp313-manylinux1x8664.whl Vulnerability Details CVEID:CVE-2025-2148 DESCRIPTION: A vulnerability was found in PyTorch 2.6.0+cu124. It has been declared as critical. Affected by this...

Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in tar

Summary Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in tar Vulnerability Details CVEID:CVE-2022-48303 DESCRIPTION: GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to...

Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in tar

Summary Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in tar Vulnerability Details CVEID:CVE-2021-20193 DESCRIPTION: A flaw was found in the src/list.c of tar 1.33 and earlier. This flaw allows an attacker who can submit a crafted input file to tar to caus...

Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in node

Summary Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in node Vulnerability Details CVEID:CVE-2021-43803 DESCRIPTION: Next.js is a React framework. In versions of Next.js prior to 12.0.5 or 11.1.3, invalid or malformed URLs could lead to a server crash. In...

Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in axios-1.8.3.tgz

Summary Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in axios-1.8.3.tgz Vulnerability Details CVEID:CVE-2025-58754 DESCRIPTION: Axios is a promise based HTTP client for the browser and Node.js. When Axios prior to versions 0.30.2 and 1.12.0 runs on Node.j...

Security Bulletin: Multiple vulnerabilities in IBM Observability with Instana (OnPrem)

Summary Multiple vulnerabilities were remediated in IBM Observability with Instana OnPrem build 1.0.307 Vulnerability Details CVEID:CVE-2025-57810 DESCRIPTION: jsPDF is a library to generate PDFs in JavaScript. Prior to 3.0.2, user control of the first argument of the addImage method results in C...

Security Bulletin: Multiple vulnerabilities in Open Source affect IBM Cloud Pak System

Summary Multiple vulnerabilities in Open Source affect IBM Cloud Pak System. Vulnerability Details CVEID:CVE-2024-21538 DESCRIPTION: Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service ReDoS due to improper input...

Security Bulletin: IBM OpenPages mitigates Host header injection vulnerability (CVE-2025-36223)

Summary A vulnerability in IBM OpenPages could allow an attacker to manipulate the Host header in a request, potentially influencing the response data. In certain redirection scenarios, user navigation could be influenced in unintended ways, potentially leading to exposure to untrusted...

Security Bulletin: IBM OpenPages Vulnerable to Information Disclosure (CVE-2025-27368)

Summary Application API vulnerability that exposes metadata for configurable fields due to insufficient access control checks in IBM OpenPages has been addressed. Vulnerability Details CVEID:CVE-2025-27368 DESCRIPTION: IBM OpenPages is vulnerable to information disclosure of sensitive information...

Security Bulletin: Multiple Vulnerabilities in IBM webMethods BPM.

Summary Multiple vulnerabilities were addressed in IBM webMethods BPM. Vulnerability Details CVEID:CVE-2025-48976 DESCRIPTION: Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload. This issue affects Apache Commons...

Security Bulletin: Due to the use of Eclipse JGit, IBM webMethods Integration is affected by denial of service, and other security issues.

Summary Eclipse JGit is used by IBM webMethods Integration in repository function CVE-2025-4949 Vulnerability Details CVEID:CVE-2025-4949 DESCRIPTION: In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser class used by the repo command and the AmazonS3 class used to implemen...

Security Bulletin: IBM Sterling Transformation Extender is affected by multiple IBM Semeru Java 17 vulnerabilities

Summary IBM Sterling Transformation Extender uses IBM Semeru Runtime Certified Edition, Version 17 and is affected by multiple vulnerabilities CVE-2025-53057, CVE-2025-53066, CVE-2025-50059, CVE-2025-50106, CVE-2025-30749, CVE-2025-30761 and CVE-2025-30754. Vulnerability Details...

Security Bulletin: IBM Sterling Transformation Extender is affected by multiple IBM Java 8 vulnerabilities

Summary IBM Sterling Transformation Extender uses IBM SDK, Java Technology Edition, Version 8 and is affected by multiple vulnerabilities CVE-2025-53066, CVE-2025-53057, CVE-2025-50106, CVE-2025-30749, CVE-2025-30761 and CVE-2025-30754. Vulnerability Details CVEID:CVE-2025-53066 DESCRIPTION: An...

Security Bulletin: Multiple Vulnerabilities in Hyper Converged Database

Summary Multiple vulnerabilities were addressed in Hyper Converged Database version 1.2.4 Vulnerability Details CVEID:CVE-2017-6519 DESCRIPTION: avahi-daemon in Avahi through 0.6.32 and 0.7 inadvertently responds to IPv6 unicast queries with source addresses that are not on-link, which allows...

Security Bulletin: IBM MQ is affected by multiple vulnerabilities in the IBM Semeru Runtime Environment (CVE-2025-50059, CVE-2025-50106, CVE-2025-30749, CVE-2025-30761, CVE-2025-30754)

Summary Multiple issues were identified with the IBM Semeru Runtime Environment which is shipped with IBM MQ Vulnerability Details CVEID:CVE-2025-50059 DESCRIPTION: Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE component:...

Security Bulletin: IBM Jazz Reporting Service is vulnerable to uncontrolled resource consumption in Apache Commons IO.

Summary A vulnerability has been identified in the Apache Commons IO library. This issue affects IBM® Jazz Reporting Service and has been addressed as documented in the Remediation section CVE-2024-47554. Vulnerability Details CVEID:CVE-2024-47554 DESCRIPTION: Uncontrolled Resource Consumption...

Security Bulletin: Multiple Vulnerabilities in IBM StreamSets Data Collector

Summary Multiple vulnerabilities were addressed in IBM StreamSets Data Collector version 6.4.0. Vulnerability Details CVEID:CVE-2015-5262 DESCRIPTION: http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setti...

Security Bulletin: WebSphere Application Server Liberty is affected by a security bypass in JMS messaging ( CVE-2025-36124)

Summary WebSphere Application Server Liberty is affected by a security bypass in JMS messaging CVE-2025-36124 Vulnerability Details CVEID:CVE-2025-36124 DESCRIPTION: IBM WebSphere Application Server Liberty 17.0.0.3 through 25.0.0.8 could allow a remote attacker to bypass security restrictions...

Security Bulletin: WebSphere Application Server Liberty is affected by a denial of service with HTTP/2 ( CVE-2025-36047)

Summary WebSphere Application Server Liberty is affected by a denial of service with HTTP/2 CVE-2025-36047 Vulnerability Details CVEID:CVE-2025-36047 DESCRIPTION: IBM WebSphere Application Server Liberty 18.0.0.2 through 25.0.0.8 is vulnerable to a denial of service, caused by sending a...

Security Bulletin: WebSphere Application Server Liberty is affected by a denial of service ( CVE-2025-36000)

Summary WebSphere Application Server Liberty is affected by a denial of service CVE-2025-36000 Vulnerability Details CVEID:CVE-2025-36000 DESCRIPTION: IBM WebSphere Application Server Liberty 17.0.0.3 through 25.0.0.8 is vulnerable to stored cross-site scripting. This vulnerability allows a...

Security Bulletin: Multiple Vulnerabilities in IBM Concert Software.

Summary Multiple vulnerabilities were addressed in IBM Concert Software version 2.1.0 Vulnerability Details CVEID:CVE-2023-47038 DESCRIPTION: A vulnerability was found in perl 5.30.0 through 5.38.0. This issue occurs when a crafted regular expression is compiled by perl, which can allow an attack...

Security Bulletin: There is a vulnerability in netty-codec-http2-4.1.115.Final.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2025-55163)

Summary There is a vulnerability in netty-codec-http2-4.1.115.Final.jar used by IBM Maximo Manage application in IBM Maximo Application Suite. Vulnerability Details CVEID:CVE-2025-55163 DESCRIPTION: Netty is an asynchronous, event-driven network application framework. Prior to versions...

Security Bulletin: WebSphere Application Server Liberty is affected by a denial of service due to Apache Commons FileUpload ( CVE-2025-48976)

Summary WebSphere Application Server Liberty is affected by a denial of service due to Apache Commons FileUpload CVE-2025-48976 Vulnerability Details CVEID:CVE-2025-48976 DESCRIPTION: Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache...

Security Bulletin: There is a vulnerability in netty-codec-4.1.115.Final.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2025-58057)

Summary There is a vulnerability in netty-codec-4.1.115.Final.jar used by IBM Maximo Manage application in IBM Maximo Application Suite. Vulnerability Details CVEID:CVE-2025-58057 DESCRIPTION: Netty is an asynchronous event-driven network application framework for rapid development of maintainabl...

Security Bulletin: There is a vulnerability in netty-codec-http-4.1.115.Final.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2025-58056)

Summary There is a vulnerability in netty-codec-http-4.1.115.Final.jar used by IBM Maximo Manage application in IBM Maximo Application Suite. Vulnerability Details CVEID:CVE-2025-58056 DESCRIPTION: Netty is an asynchronous event-driven network application framework for development of maintainable...

Security Bulletin: There is a vulnerability in reactor-netty-http-1.2.1.jar (used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2025-22227)

Summary There is a vulnerability inreactor-netty-http-1.2.1.jar used by IBM Maximo Manage application in IBM Maximo Application Suite. Vulnerability Details CVEID:CVE-2025-22227 DESCRIPTION: In some specific scenarios with chained redirects, Reactor Netty HTTP client leaks credentials. In order f...