Security Bulletin: multiple vulnerabilities in IBM Spectrum Symphony with Requests and urlib3

Summary Multiple vulnerabilities in IBM Spectrum Symphony with Requests and urlib3, which have now been addressed. Vulnerability Details CVEID:CVE-2025-50182 DESCRIPTION: urllib3 is a user-friendly HTTP client library for Python. Starting in version 2.2.0 and prior to 2.5.0, urllib3 does not...

Security Bulletin: multiple vulerability in IBM Spectrum Symphony with Bouncy Castle Java TLS API

Summary multiple vulerability in IBM Spectrum Symphony with Bouncy Castle Java TLS API Vulnerability Details CVEID:CVE-2024-30172 DESCRIPTION: An issue was discovered in Bouncy Castle Java Cryptography APIs before 1.78. An Ed25519 verification code infinite loop can occur via a crafted signature...

Security Bulletin: vulerability in IBM Spectrum Symphony with Elasticsearch

Summary vulerability in IBM Spectrum Symphony with Elasticsearch Vulnerability Details CVEID:CVE-2024-23450 DESCRIPTION: A flaw was discovered in Elasticsearch, where processing a document in a deeply nested pipeline on an ingest node could cause the Elasticsearch node to crash. CWE:CWE-400:...

Security Bulletin: vulerability in IBM Spectrum Symphony with Express.js

Summary vulerability in IBM Spectrum Symphony with Express.js Vulnerability Details CVEID:CVE-2024-29041 DESCRIPTION: Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect...

Security Bulletin: multiple vulerability in IBM Spectrum Symphony with Node.js

Summary multiple vulerability in IBM Spectrum Symphony with Node.js Vulnerability Details CVEID:CVE-2024-27982 DESCRIPTION: The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling...

Security Bulletin: multiple vulerability in IBM Spectrum Symphony with IBM JRE

Summary multiple vulerability in IBM Spectrum Symphony with IBM JRE Vulnerability Details CVEID:CVE-2024-21147 DESCRIPTION: An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause high confidentiality, high integrity impacts. CWE:CWE-200: Exposur...

Security Bulletin: multiple vulerability in IBM Spectrum Symphony with IBM WebSphere Application Server Liberty

Summary multiple vulerability in IBM Spectrum Symphony with IBM WebSphere Application Server Liberty Vulnerability Details CVEID:CVE-2023-50312 DESCRIPTION: IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.2 could provide weaker than expected security for outbound TLS connections...

Security Bulletin: multiple vulerability in IBM Spectrum Symphony with ISC BIND

Summary multiple vulerability in IBM Spectrum Symphony with ISC BIND Vulnerability Details CVEID:CVE-2023-4408 DESCRIPTION: The DNS message parsing code in named includes a section whose computational complexity is overly high. It does not cause problems for typical DNS traffic, but crafted queri...

Security Bulletin: IBM Content Navigator consumes vulnerable spring framework library

Summary A bypass vulnerability where, despite CVE-2024-38820 ensuring Locale-independent lowercase conversion for disallowedFields patterns and request parameter names, there are still cases where it is possible to bypass the disallowedFields checks . Vulnerability Details CVEID:CVE-2025-22233...

Security Bulletin: IBM Content Navigator consumes vulnerable spring framework library

Summary Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions. A vulnerability where the fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive, but String.toLowerCase has Locale-dependent exceptions that could potentially result in...

Security Bulletin: IBM MQ is affected by a denial of service vulnerability in IBM WebSphere Application Server Liberty (CVE-2025-48976)

Summary IBM WebSphere Application Server Liberty is used by IBM MQ as part of the IBM MQ Console and IBM MQ REST API functionality CVE-2025-48976 Vulnerability Details CVEID:CVE-2025-48976 DESCRIPTION: Allocation of resources for multipart headers with insufficient limits enabled a DoS...

Security Bulletin: IBM MQ Appliance is affected by a denial of service vulnerability (CVE-2025-48976)

Summary IBM MQ appliance has addressed a denial of service vulnerability. Vulnerability Details CVEID:CVE-2025-48976 DESCRIPTION: Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload. This issue affects Apache Commons...

Security Bulletin: IBM MQ Appliance is affected by open source vulnerabilities (CVE-2025-8058 and CVE-2025-7425)

Summary IBM MQ Appliance has addressed open source vulnerabilities. Vulnerability Details CVEID:CVE-2025-8058 DESCRIPTION: The regcomp function in the GNU C library version from 2.4 to 2.41 is subject to a double free if some previous allocation fails. It can be accomplished either by a malloc...

Security Bulletin: IBM MQ is affected by a vulnerability in IBM WebSphere Application Server Liberty (CVE-2025-36047)

Summary A denial of service vulnerability was identified in IBM WebSphere Application Server Liberty, which IBM MQ ships and uses to supply IBM MQ Console and IBM MQ REST API functionality CVE-2025-36047 Vulnerability Details CVEID:CVE-2025-36047 DESCRIPTION: IBM WebSphere Application Server...

Security Bulletin: IBM MQ is affected by a vulnerability in IBM WebSphere Application Server Liberty (CVE-2025-36732)

Summary A denial of service vulnerability was identified in IBM WebSphere Application Server Liberty, which IBM MQ ships and uses to supply IBM MQ Console and IBM MQ REST API functionality CVE-2025-36732 Vulnerability Details CVEID:CVE-2020-36732 DESCRIPTION: The crypto-js package before 3.2.1 fo...

Security Bulletin: DataStage on Cloud Pak for Data is vulnerable to possible memory corruption due to the Linux kernel network scheduler (CVE-2025-37914)

Summary The Linux kernel network scheduler is used by DataStage on Cloud Pak for Data as part of network processing functionality. Vulnerability Details CVEID:CVE-2025-37914 DESCRIPTION: In the Linux kernel, the following vulnerability has been resolved: netsched: ets: Fix double list add in clas...

Security Bulletin: IBM Security QRadar Network Threat Analytics app for IBM QRadar SIEM includes a component with known vulnerabilities (CVE-2025-29927 & CVE-2025-48068)

Summary The product includes a vulnerable component e.g., framework library that may be identified and exploited with automated tools. IBM Security QRadar Network Threat Analytics app for IBM QRadar SIEM has addressed the applicable CVEs. Vulnerability Details CVEID:CVE-2025-29927 DESCRIPTION:...

Security Bulletin: IBM Content Navigator consumes vulnerable spring framework library

Summary Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions. The vulnerability involves case-sensitive patterns for disallowedFields on a DataBinder, meaning a field is not effectively protected unless it is listed with both upper and lower case for the first...

Security Bulletin: IBM Content Navigator consumes vulnerable spring framework library

Summary Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions. The vulnerability involves another data bypass issue relaed to data binding field protection Vulnerability Details CVEID:CVE-2025-22233 DESCRIPTION: CVE-2024-38820 ensured Locale-independent, lowerca...

Security Bulletin: A Prototype Pollution vulnerability in jquery.dataTables affects IBM Tivoli Network Manager IP Edition (ITNM) (CVE-2020-28458)

Summary A Prototype Pollution vulnerability in jquery.dataTables was addressed in ITNM version 4.2 Fix Pack 23 4.2.0.23 Vulnerability Details CVEID:CVE-2020-28458 DESCRIPTION: All versions of package datatables.net are vulnerable to Prototype Pollution due to an incomplete fix for...

Security Bulletin: IBM webMethods Integration Sever is affected by server-side request forgery (SSRF)

Summary IBM webMethods Integration Sever is affected by server-side request forgery SSRF. CVE-2025-36037 Vulnerability Details CVEID:CVE-2025-36037 DESCRIPTION: IBM webMethods Integration is vulnerable to server-side request forgery SSRF. This may allow an authenticated attacker to send...

Security Bulletin: Multiple vulnerabilities in IBM Aspera High-Speed Transfer Server, IBM Aspera High-Speed Transfer Endpoint and IBM Aspera Desktop Client.

Summary Multiple vulnerabilities were addressed in IBM Aspera High-Speed Transfer Server v4.4.7, IBM Aspera High-Speed Transfer Endpoint v4.4.7 and IBM Aspera Desktop Client v4.4.7. Vulnerability Details CVEID:CVE-2025-46818 DESCRIPTION: Redis is an open source, in-memory database that persists o...

Security Bulletin: Multiple Vulnerabilities in IBM StreamSets Data Collector

Summary Multiple vulnerabilities were addressed in IBM StreamSets Data Collector version 6.4.0 Vulnerability Details CVEID:CVE-2019-19135 DESCRIPTION: In OPC Foundation OPC UA .NET Standard codebase 1.4.357.28, servers do not create sufficiently random numbers in OPCFoundation.NetStandard.Opc.Ua...

Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in jose-4.15.9.tgz

Summary Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in jose-4.15.9.tgz Vulnerability Details CVEID:CVE-2025-45767 DESCRIPTION: jose v6.0.10 was discovered to contain weak encryption. NOTE: this is disputed by a third party because the claim of "do not me...

Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in sha.js-2.4.11.tgz CVE-2025-9288

Summary Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in sha.js-2.4.11.tgz CVE-2025-9288 Vulnerability Details CVEID:CVE-2025-9288 DESCRIPTION: Improper Input Validation vulnerability in sha.js allows Input Data Manipulation.This issue affects sha.js:...

Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in on-headers-1.0.2.tgz

Summary Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in on-headers-1.0.2.tgz Vulnerability Details CVEID:CVE-2025-7339 DESCRIPTION: on-headers is a node.js middleware for listening to when a response writes headers. A bug in on-headers versions 1.1.0 may...

Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in multer-2.0.1.tgz

Summary Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in multer-2.0.1.tgz Vulnerability Details CVEID:CVE-2025-7338 DESCRIPTION: Multer is a node.js middleware for handling multipart/form-data. A vulnerability that is present starting in version 1.4.4-lts....

Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in pbkdf2-3.1.2.tgz

Summary Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in pbkdf2-3.1.2.tgz Vulnerability Details CVEID:CVE-2025-6547 DESCRIPTION: Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation.This issue affects pbkdf2:...

Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in torch-2.6.0-cp313-cp313-manylinux1_x86_64.whl

Summary Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in torch-2.6.0-cp313-cp313-manylinux1x8664.whl Vulnerability Details CVEID:CVE-2025-2148 DESCRIPTION: A vulnerability was found in PyTorch 2.6.0+cu124. It has been declared as critical. Affected by this...

Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in grpc-js-1.7.3.tgz

Summary Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in grpc-js-1.7.3.tgz Vulnerability Details CVEID:CVE-2024-37168 DESCRIPTION: @grpc/grps-js implements the core functionality of gRPC purely in JavaScript, without a C++ addon. Prior to versions 1.10.9,...

Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in urllib3-2.3.0-py3-none-any.whl

Summary Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in urllib3-2.3.0-py3-none-any.whl Vulnerability Details CVEID:CVE-2025-50182 DESCRIPTION: urllib3 is a user-friendly HTTP client library for Python. Starting in version 2.2.0 and prior to 2.5.0, urllib3...

Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in protobuf-5.29.3-cp310-abi3-win32.whl

Summary Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in protobuf-5.29.3-cp310-abi3-win32.whl Vulnerability Details CVEID:CVE-2025-4565 DESCRIPTION: Any project that uses Protobuf Pure-Python backend to parse untrusted Protocol Buffers data containing an...

Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in react-pdf-5.0.0.tgz

Summary Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in react-pdf-5.0.0.tgz Vulnerability Details CVEID:CVE-2024-34342 DESCRIPTION: react-pdf displays PDFs in React apps. If PDF.js is used to load a malicious PDF, and PDF.js is configured with...

Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in pdfjs-dist-2.4.456.tgz

Summary Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in pdfjs-dist-2.4.456.tgz Vulnerability Details CVEID:CVE-2024-4367 DESCRIPTION: A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js...

Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in brace-expansion-1.1.11.tgz

Summary Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in brace-expansion-1.1.11.tgz Vulnerability Details CVEID:CVE-2025-5889 DESCRIPTION: A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as...

Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in requests-2.32.2-py3-none-any.whl

Summary Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in requests-2.32.2-py3-none-any.whl Vulnerability Details CVEID:CVE-2024-47081 DESCRIPTION: Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc...

Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in multer-1.4.5-lts.2.tgz

Summary Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in multer-1.4.5-lts.2.tgz Vulnerability Details CVEID:CVE-2025-48997 DESCRIPTION: Multer is a node.js middleware for handling multipart/form-data. A vulnerability that is present starting in version...

Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in transformers-4.48.3-py3-none-any.whl

Summary Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in transformers-4.48.3-py3-none-any.whl Vulnerability Details CVEID:CVE-2025-2099 DESCRIPTION: A vulnerability in the preprocessstring function of the transformers.testingutils module in...

Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in llama_index-0.12.29-py3-none-any.whl CVE-2025-1793

Summary Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in llamaindex-0.12.29-py3-none-any.whl CVE-2025-1793 Vulnerability Details CVEID:CVE-2025-1793 DESCRIPTION: Multiple vector store integrations in run-llama/llamaindex version v0.12.21 have SQL injection...

Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in setuptools-70.3.0-py3-none-any.whl

Summary Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in setuptools-70.3.0-py3-none-any.whl Vulnerability Details CVEID:CVE-2025-47273 DESCRIPTION: setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python package...

Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in dompurify-3.2.5.tgz

Summary Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in dompurify-3.2.5.tgz Vulnerability Details CVEID:CVE-2025-48050 DESCRIPTION: In DOMPurify through 3.2.5 before 6bc6d60, scripts/server.js does not ensure that a pathname is located under the current...

Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in multer-1.4.5-lts.2.tgz

Summary Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in multer-1.4.5-lts.2.tgz Vulnerability Details CVEID:CVE-2025-47935 DESCRIPTION: Multer is a node.js middleware for handling multipart/form-data. Versions prior to 2.0.0 are vulnerable to a resource...

Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in flask-3.1.0-py3-none-any.whl

Summary Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in flask-3.1.0-py3-none-any.whl Vulnerability Details CVEID:CVE-2025-47278 DESCRIPTION: Flask is a web server gateway interface WSGI web application framework. In Flask 3.1.0, the way fallback key...

Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in torch-2.6.0-cp313-cp313-manylinux1_x86_64.whl

Summary Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in torch-2.6.0-cp313-cp313-manylinux1x8664.whl Vulnerability Details CVEID:CVE-2025-4287 DESCRIPTION: A vulnerability was found in PyTorch 2.6.0+cu124. It has been rated as problematic. Affected by this...

Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in torch-2.6.0-cp313-cp313-manylinux1_x86_64.whl

Summary Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in torch-2.6.0-cp313-cp313-manylinux1x8664.whl Vulnerability Details CVEID:CVE-2025-3000 DESCRIPTION: A vulnerability classified as critical has been found in PyTorch 2.6.0. This affects the function...

Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in cryptography-44.0.0-cp37-abi3-macosx_10_9_universal2.whl

Summary Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in cryptography-44.0.0-cp37-abi3-macosx109universal2.whl Vulnerability Details CVEID:CVE-2024-12797 DESCRIPTION: Issue summary: Clients using RFC7250 Raw Public Keys RPKs to authenticate a server may fa...

Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in formidable-2.1.0.tgz

Summary Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in formidable-2.1.0.tgz Vulnerability Details CVEID:CVE-2025-46653 DESCRIPTION: Formidable aka node-formidable 2.1.0 through 3.x before 3.5.3 relies on hexoid to prevent guessing of filenames for...

Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in transformers-4.48.3-py3-none-any.whl

Summary Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in transformers-4.48.3-py3-none-any.whl Vulnerability Details CVEID:CVE-2025-1194 DESCRIPTION: A Regular Expression Denial of Service ReDoS vulnerability was identified in the huggingface/transformers...

Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in jinja2-3.1.5-py3-none-any.whl

Summary Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in jinja2-3.1.5-py3-none-any.whl Vulnerability Details CVEID:CVE-2025-27516 DESCRIPTION: Jinja is an extensible templating engine. Prior to 3.1.6, an oversight in how the Jinja sandboxed environment...

Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in h11-0.14.0-py3-none-any.whl CVE-2025-43859

Summary Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in h11-0.14.0-py3-none-any.whl CVE-2025-43859 Vulnerability Details CVEID:CVE-2025-43859 DESCRIPTION: h11 is a Python implementation of HTTP/1.1. Prior to version 0.16.0, a leniency in h11's parsing of...