Security Bulletin: IBM Edge Data Collector uses urllib3-1.26.19-py2.py3-none-any.whl which is vulnerable to CVE-2025-50181, CVE-2025-50182.

Summary IBM Edge Data Collector uses urllib3-1.26.19-py2.py3-none-any.whl which is vulnerable to CVE-2025-50181, CVE-2025-50182. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2025-50181 DESCRIPTION: urllib3 is a user-friendly HTTP...

Security Bulletin: IBM Edge Data Collector uses ring-0.17.9.crate which is vulnerable to CVE-2025-4432.

Summary IBM Edge Data Collector uses ring-0.17.9.crate which is vulnerable to CVE-2025-4432. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2025-4432 DESCRIPTION: A flaw was found in Rust's Ring package. A panic may be triggered whe...

Security Bulletin: IBM Edge Data Collector uses crossbeam-channel-0.5.14.crate which is vulnerable to CVE-2025-4574.

Summary IBM Edge Data Collector uses crossbeam-channel-0.5.14.crate which is vulnerable to CVE-2025-4574. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2025-4574 DESCRIPTION: In crossbeam-channel rust crate, the internal Channel type's...

Security Bulletin: IBM Maximo Application Suite uses multiple third party dependencies which are vulnerable to CVEs.

Summary IBM Maximo Application Suite uses "form-data 4.0.0, org.apache.cxfcxf-core 3.6.7 , net/http/internal v1.24.1, braces 3.0.2 , cross-spawn 7.0.3 , crypto/x509 1.24.1 1.24.3 , github.com/golang-jwt/jwt/v4 github.com/golang-jwt/jwt/v5 v4.5.0 v5.2.1 , httpd 2.4.37 , setuptools 78.0.2 75.8.0 ,...

Security Bulletin: IBM Maximo Application Suite uses multiple third party libraries which is vulnerable to multiple CVEs

Summary IBM Maximo Application Suite uses setuptools 76.1.0, urllib3-1.26.20-py2.py3-none-any.whl, cross-spawn v7.0.3, braces v3.0.2, axios-1.11.0.tgz, xmltodict-0.14.2-py2.py3-none-any.whl, WebSphere Application Server Liberty version 25.0.0.8 which is vulnerable to CVE-2025-47273, CVE-2025-5018...

Security Bulletin: IBM OpenPages for Cloud Pak for Data is Vulnerable to Multiple Spring Framework Vulnerabilities (CVE-2024-38828,CVE-2024-38820)

Summary Spring MVC controller vulnerable to a DoS attack and DataBinder Case Sensitive Match Exception. These vulnerabilities were remediated. Vulnerability Details CVEID:CVE-2024-38828 DESCRIPTION: Spring MVC controller methods with an @RequestBody byte method parameter are vulnerable to a DoS...

Security Bulletin: IBM OpenPages for Cloud Pak for Data is Vulnerable to Multiple Spring Framework Vulnerabilities (CVE-2025-41249,CVE-2025-41242)

Summary IBM OpenPages for Cloud Pak for Data is Vulnerable to Multiple Spring Framework Vulnerabilities . These vulnerabilities were remediated. Vulnerability Details CVEID:CVE-2025-41249 DESCRIPTION: The Spring Framework annotation detection mechanism may not correctly resolve annotations on...

Security Bulletin: IBM InfoSphere Information Server is affected by a vulnerability in Axios (CVE-2025-58754)

Summary A vulnerability in Axios that is used by IBM InfoSphere Information Server was addressed. Vulnerability Details CVEID:CVE-2025-58754 DESCRIPTION: Axios is a promise based HTTP client for the browser and Node.js. When Axios prior to versions 0.30.2 and 1.12.0 runs on Node.js and is given a...

Security Bulletin: IBM i is affected by a privilege escalation in IBM i SQL services [CVE-2025-36367]

Summary IBM i is vulnerable to privilege escalation caused by an invalid IBM i SQL services authorization check CVE-2025-36367 as described in the vulnerability details section. Vulnerability Details CVEID:CVE-2025-36367 DESCRIPTION: IBM i is vulnerable to privilege escalation caused by an invali...

Security Bulletin: IBM InfoSphere Information Server is affected by a vulnerability in Undertow (CVE-2025-9784)

Summary A vulnerability in Undertow that is used by IBM InfoSphere Information Server was addressed. Vulnerability Details CVEID:CVE-2025-9784 DESCRIPTION: A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This...

Security Bulletin: IBM InfoSphere Information Server is affected by a vulnerability in Spring (CVE-2025-41249)

Summary A vulnerability in Spring that is used by IBM InfoSphere Information Server was addressed. Vulnerability Details CVEID:CVE-2025-41249 DESCRIPTION: The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to an uncontrolled resource consumption and out of bounds write in Bouncy Castle [CVE-2025-9341, CVE-2025-9340]

Summary IBM Watson Speech Services Cartridge is vulnerable to an uncontrolled resource consumption and out of bounds write in Bouncy Castle, due to issues in AESNativeCBC.Java and AESNativeCBC.Java which allow excessive allocation CVE-2025-9341 and issues in jcajce/provider/BaseCipher...

Security Bulletin: Multiple vulnerabilities in IBM WebSphere Application Server Liberty affect IBM InfoSphere Information Server

Summary There are multiple vulnerabilities in IBM® WebSphere Application Server Liberty that is used by IBM InfoSphere Information Server. These are addressed. Vulnerability Details CVEID:CVE-2025-36047 DESCRIPTION: IBM WebSphere Application Server Liberty 18.0.0.2 through 25.0.0.8 is vulnerable ...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to unexpected behavior in pytorch [CVE-2025-55552]

Summary IBM Watson Speech Services Cartridge is vulnerable to unexpected behavior in pytorch , that creates an inconsistent swap wih eager when compilingCVE-2025-55552. Pytorch is used in our speech service runtimes. This vulnerabilitiy has been addressed. Please read the details for remediation...

Security Bulletin: IBM Guardium Data Security Center is affected by multiple vulnerabilities

Summary IBM Guardium Data Security Center has addressed these vulnerabilties with an update. Vulnerability Details CVEID:CVE-2025-41249 DESCRIPTION: The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to an Improper Resource Shutdown or Release in PyTorch [ CVE-2025-4287]

Summary IBM Watson Speech Services Cartridge is vulnerable to an Improper Resource Shutdown or Release in PyTorch that can be manipulated to cause a Denial of Service attack CVE-2025-4287. PyTorch is used in our speech service runtimes. This vulnerabilitiy has been addressed. Please read the...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to Allocation of Resources Without Limits or Throttling in Bouncy Castle [CVE-2025-8916]

Summary IBM Watson Speech Services Cartridge is vulnerable to Allocation of Resources Without Limits or Throttling in Bouncy Castle, due to BC API modules which allow Excessive AllocationCVE-2025-8916. Bouncy Castle is used in our speech microservices. This vulnerabilitiy has been addressed. Plea...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to an Improper Resource Shutdown or Release in Apache Tomcat [CVE-2025-48989]

Summary IBM Watson Speech Services Cartridge is vulnerable to an Improper Resource Shutdown or Release in Apache Tomcat, due to a vulnerability to the 'made you reset attack' CVE-2025-48989. Apache Tomcat is used in our speech microservices. This vulnerabilitiy has been addressed. Please read the...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to an Uncontrolled Resource Consumption in Apache Tomcat [CVE-2025-53506]

Summary IBM Watson Speech Services Cartridge is vulnerable to an Uncontrolled Resource Consumption in Apache Tomcat, occuring when the HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams CVE-2025-53506. Apache Tomcat is used in our...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to an interger overflow in Apache Tomcat [CVE-2025-52520]

Summary IBM Watson Speech Services Cartridge is vulnerable to a DOS in Apache Tomcat, due to an Integer Overflow vulnerability that could allow bypassing of size limits CVE-2025-52520. Apache Tomcat is used in our speech microservices. This vulnerabilitiy has been addressed. Please read the detai...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to an injection attack in huggingface/transformers [CVE-2025-3777]

Summary IBM Watson Speech Services Cartridge is vulnerable to an injection attack in huggingface/transformers, due to an improper input validation vulnerability in the imageutils.py file CVE-2025-3777, Huggingface/transformers is used in our speech service runtimes. This vulnerabilitiy has been...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a Denial of Service in huggingface/transformers [CVE-2025-5197]

Summary IBM Watson Speech Services Cartridge is vulnerable to a Denial of Service in huggingface/transformers, due to an exploitable issue in the converttfweightnametoptweightname function CVE-2025-5197. Huggingface/transformers is used in our speech service runtimes. This vulnerabilitiy has been...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a Denial of Service in huggingface/transformers [CVE-2025-3262, CVE-2025-3264, CVE-2025-3933, CVE-2025-3263]

Summary IBM Watson Speech Services Cartridge is vulnerable to a Denial of Service in huggingface/transformers, due to various issues identified within the package CVE-2025-3262, CVE-2025-3264, CVE-2025-3933, CVE-2025-3263. Huggingface/transformers is used in our speech service runtimes. This...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a RecursionError DOS in protobuf [CVE-2025-4565]

Summary IBM Watson Speech Services Cartridge is vulnerable to a RecursionError DOS in protobuf, due to an issue with the Protobuf Pure-Python backend CVE-2025-4565. Protobuf is used in our speech service runtimes. This vulnerabilitiy has been addressed. Please read the details for remediation...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to Improper Input Validation in protobuf [CVE-2022-3171]

Summary IBM Watson Speech Services Cartridge is vulnerable to Improper Input Validation in protobuf, due to a parsing issue with binary data in protobuf-java core CVE-2022-3171. Protobuf is used in our speech service runtimes. This vulnerabilitiy has been addressed. Please read the details for...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to various issues in postgresql

Summary IBM Watson Speech Services Cartridge is vulnerable to various issues in postgresql please see below. Postgresql is used in our speech utilities. This vulnerabilitiy has been addressed. Please read the details for remediation below. Vulnerability Details CVEID:CVE-2023-39417 DESCRIPTION: I...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to Cross-site Scripting in golang.org/x/net/proxy [CVE-2025-22872]

Summary IBM Watson Speech Services Cartridge is vulnerable to Cross-site Scripting in golang.org/x/net/proxy, due to incorrect interpretation of tags in the tokenizer CVE-2025-22872. Golang is used in our speech utilities. This vulnerabilitiy has been addressed. Please read the details for...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to slow parsing in golang.org/x/net/proxy [CVE-2024-45338]

Summary IBM Watson Speech Services Cartridge is vulnerable to slow parsing in golang.org/x/net/proxy, due to non-linearly parsing of input with respect to its length CVE-2024-45338 . Golang is used in our speech utilities. This vulnerabilitiy has been addressed. Please read the details for...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a misinterpretation of Input in golang.org/x/net/proxy [CVE-2025-22870]

Summary IBM Watson Speech Services Cartridge is vulnerable to a misinterpretation of Input in golang.org/x/net/proxy, due to matching of hosts against proxy patterns which can improperly treat an IPv6 zone ID as a hostname component CVE-2025-22870. Golang is used in our speech utilities. This...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to Insufficiently Protected Credentials in Requests [CVE-2024-47081]

Summary IBM Watson Speech Services Cartridge is vulnerable to Insufficiently Protected Credentials in Requests, due to a URL parsing issue CVE-2024-47081. Requests is used in our speech runtimes This vulnerabilitiy has been addressed. Please read the details for remediation below. Vulnerability...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a Node DOS vulnerability in Kubernetes [CVE-2025-0426]

Summary IBM Watson Speech Services Cartridge is vulnerable to a Node DOS vulnerability in Kubernetes, due to a flaw in the kubelet read-only HTTP endpoint CVE-2025-0426. Kubernetes is used in our speech-utilities. This vulnerabilitiy has been addressed. Please read the details for remediation...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a path traversal vulnerability in protobuf [CVE-2025-47273]

Summary IBM Watson Speech Services Cartridge is vulnerable to a path traversal vulnerability in Chuck-protobuf, due to a flaw in setuptoolsPackageIndex CVE-2025-47273. Protobuf is used in our speech service runtimes. This vulnerabilitiy has been addressed. Please read the details for remediation...

Security Bulletin: IBM Cognos Dashboards on Cloud Pak for Data has addressed security vulnerabilities.

Summary There are vulnerabilities in Open-Source Software OSS components consumed by IBM Cognos Dashboards on Cloud Pak for Data. Vulnerability Details CVEID:CVE-2023-45857 DESCRIPTION: An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by...

Security Bulletin: Multiple vulnerabilities affect IBM® Semeru Runtime (CVE-2025-53057, CVE-2025-53066)

Summary This bulletin for IBM Semeru Runtime covers all applicable Java SE CVEs published by OpenJDK as part of their October 2025 Vulnerability Advisory. For more information please refer to OpenJDK's October 2025 Vulnerability Advisory and the CVE links below. Vulnerability Details...

Security Bulletin: Multiple vulnerabilities affect IBM® SDK, Java™ Technology Edition (CVE-2025-53066, CVE-2025-53057)

Summary This bulletin for IBM SDK, Java Technology Edition covers all applicable Java SE CVEs published by Oracle as part of their October 2025 Critical Patch Update. For more information please refer to Oracle's October 2025 CPU Advisory and the CVE links referenced below. Vulnerability Details...

Security Bulletin: IBM Jazz for Service Management is vulnerable to "filter" cookie not sent over SSL

Summary IBM Jazz for Service Management is vulnerable to "filter" cookie not sent over SSL CVE-2025-36249. Vulnerability Details CVEID:CVE-2025-36249 DESCRIPTION: IBM Jazz for Service Management does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to...

Security Bulletin: IBM App Connect Enterprise Certified Container UBI updates

Summary IBM App Connect Enterprise Certified Container ACEcc is built on the Red Hat Universal Base Images. ACEcc operator versions 12.0.17 LTS and 12.17.0 contain fixes to the listed CVEs found in the base images. This bulletin provides patch information to address the reported vulnerabilities...

Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring, IntegrationRuntime and IntegrationServer operands are vulnerable to improper access control [CVE-2025-48734]

Summary Apache Commons Beanutils is used by IBM App Connect Enterprise Certified Container when using MQ FTE. IBM App Connect Enterprise Certified Container DesignerAuthoring, IntegrationRuntime and IntegrationServer operands that run flows that use MQ FTE are vulnerable to improper access contro...

Security Bulletin: IBM App Connect Enterprise Certified Container operands are vulnerable to loss of confidentiality [CVE-2025-59343]

Summary Node.js module tar-fs is used by IBM App Connect Enterprise Certified Container for processing tar files and streams. IBM App Connect Enterprise Certified Container operands are vulnerable to loss of confidentiality. This bulletin provides patch information to address the reported...

Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring, IntegrationRuntime and IntegrationServer operands that use email nodes are vulnerable to loss of confidentiality [GHSA-mm7p-fcc7-pg87]

Summary Node.js module nodemailer is used by IBM App Connect Enterprise Certified Container for processing email in Designer flows that contain an email Node. IBM App Connect Enterprise Certified Container DesignerAuthoring, IntegrationRuntime and IntegrationServer operands that run flows...

Security Bulletin: Multiple security vulnerabilities are addressed with IBM Process Mining Interim Fix for Oct 2025

Summary In addition to many updates of operating system level packages, the following security vulnerabilities are addressed with IBM Process Mining 2.0.3 IF001 Vulnerability Details CVEID:CVE-2025-58457 DESCRIPTION: Improper permission check in ZooKeeper AdminServer lets authorized clients to ru...

Security Bulletin: IBM App Connect Enterprise Certified Container operands are vulnerable to denial of service [CVE-2025-58754]

Summary Node.js module axios is used by IBM App Connect Enterprise Certified Container for some HTTP calls. IBM App Connect Enterprise Certified Container operands are vulnerable to denial of service. This bulletin provides patch information to address the reported vulnerability in Node.js module...

Security Bulletin: IBM InfoSphere Information Server is vulnerable to privilege escalation (CVE-2025-33003)

Summary A privilege escalation vulnerability in InfoSphere Information Server was addressed. Vulnerability Details CVEID:CVE-2025-33003 DESCRIPTION: IBM InfoSphere Information Server could allow a non-root user to gain higher privileges/capabilities within the scope of a container due to executio...

Security Bulletin: Multiple vulnerabilities in IBM DevOps Solution Workbench

Summary Multiple vulnerabilities were addressed in IBM DevOps Solution Workbench version 5.1. Vulnerability Details CVEID:CVE-2025-46701 DESCRIPTION: Improper Handling of Case Sensitivity vulnerability in Apache Tomcat's GCI servlet allows security constraint bypass of security constraints that...

Security Bulletin: IBM Aspera High-Speed Transfer Server and IBM Aspera High-Speed Transfer Endpoint are vulnerable to an interger overflow attack

Summary A vulnerability has been identified in Redis' in-memory data structure store that could lead to remote code execution. This vulnerability has been addressed in IBM Aspera High-Speed Transfer Server v4.4.7 and IBM Aspera High-Speed Transfer Endpoint v4.4.7 and part of the same remediation...

Security Bulletin: IBM Tivoli Monitoring is vulnerable to unauthenticated file read and write operations

Summary The KT1 component of ITM/ITCAM Agents, hereafter referred to as simply Agents, provides the ability to read from and write to the local file system. This facility is utilised by features such as SDA, Self-Describing Agent, which ensures that updates to a product's application support file...

Security Bulletin: IBM Financial Transaction Manager is impacted by an out-of-bounds read vulnerability in RedHat Proxy for Kubernetes RBAC authorization

Summary IBM Financial Transaction Manager for RedHat OpenShift has addressed the following vulnerability. Vulnerability Details CVEID:CVE-2025-5318 DESCRIPTION: A flaw was found in the libssh library in versions less than 0.11.2. An out-of-bounds read can be triggered in the sftphandle function d...

Security Bulletin: Multiple vulnerabilities in IBM Aspera Orchestrator

Summary Multiple vulnerabilities were addressed in IBM Aspera Orchestrator 4.1.0 Vulnerability Details CVEID:CVE-2025-58767 DESCRIPTION: REXML is an XML toolkit for Ruby. The REXML gems from 3.3.3 to 3.4.1 has a DoS vulnerability when parsing XML containing multiple XML declarations. If you need ...

Security Bulletin: Multiple Vulnerabilities in IBM CloudPak for AIOps

Summary Multiple vulnerabilities were addressed in IBM Cloud Pak for AIOps version 4.11.1 Vulnerability Details CVEID:CVE-2025-8129 DESCRIPTION: A vulnerability, which was classified as problematic, was found in KoaJS Koa up to 3.0.0. Affected is the function back in the library lib/response.js o...

Security Bulletin: IBM Sterling Connect:Direct for UNIX is vulnerable to Execution with Unnecessary Privileges, CVE-2025-36137.

Summary IBM Sterling Control Center can apply maintenance to and upgrade IBM Sterling Connect:Direct for UNIX. The Control Center administrator has the option of running pre and post update scripts. Those scripts are run as root; they should be run as the standard user account under which...