Security Bulletin: IBM Engineering Lifecycle Optimization - Publishing - Connect2id Nimbus JOSE + JWT 10.0.x before 10.0.2 and 9.37.x before 9.37.4 allows a remote attacker to cause a denial of service

Summary Connect2id Nimbus JOSE + JWT 10.0.x before 10.0.2 and 9.37.x before 9.37.4 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion. Following IBM® Engineering Lifecycle Management product is...

Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses golang.org/x/crypto which is vulnerable to CVE-2024-45337 and CVE-2025-22869

Summary Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses golang.org/x/crypto which is vulnerable to CVE-2024-45337 and CVE-2025-22869 Vulnerability Details CVEID:CVE-2024-45337 DESCRIPTION: Applications and libraries which misuse connection.serverAuthenticate via...

Security Bulletin:IBM WebSphere Application Server Liberty shipped with IBM OpenPages is vulnerable to multiple vulnerabilities

Summary IBM WebSphere Application Server Liberty is shipped as a supporting program of IBM OpenPages. Information about multiple vulnerabilities affecting IBM WebSphere Application Server Liberty has been published in a security bulletin. These products have addressed the applicable CVEs. For a...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in form-data package

Summary IBM Watson Discovery Cartridge contains a vulnerable version of form-data Vulnerability Details CVEID:CVE-2025-7783 DESCRIPTION: Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution HPP. This vulnerability is associated with program files...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in deepdiff-8.5.0-py3-none-any.whl

Summary IBM Watson Discovery Cartridge contains a vulnerable version of deepdiff-8.5.0-py3-none-any.whl Vulnerability Details CVEID:CVE-2025-58367 DESCRIPTION: DeepDiff is a project focused on Deep Difference and search of any Python data. Versions 5.0.0 through 8.6.0 are vulnerable to class...

Security Bulletin: Several Security Vulnerabilities have been discovered in IBM Security Verify Directory Appliance

Summary Security Vulnerabilities have been addressed in IBM Security Verify Directory Appliance. Vulnerability Details CVEID:CVE-2025-21587 DESCRIPTION: An unspecified vulnerability in Java SE related to the Server: DDL component could allow a remote attacker to cause high confidentiality and hig...

Security Bulletin: Multiple vulnerabilities in OpenJDK may affect opensearch in IBM Business Automation Workflow on Containers - CVE-2025-30749, CVE-2025-30754, CVE-2025-2025-50059

Summary IBM Business Automation Workflow provides a container image for opensearch. OpenJDK on this image is outdated. Vulnerability Details CVEID:CVE-2025-30749 DESCRIPTION: Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE...

Security Bulletin: Improper Access Control vulnerability in Apache Commons may affect IBM Business Automation Workflow - CVE-2025-48734

Summary IBM Business Automation Workflow packages a copy of Apache commons-beanutils. CVE-2025-48734 has been reported for this library. Vulnerability Details CVEID:CVE-2025-48734 DESCRIPTION: Improper Access Control vulnerability in Apache Commons. A special BeanIntrospector class was added in...

Security Bulletin: IBM Maximo Application Suite - Predict Component uses Requests is a HTTP library. Due to a URL parsing issue to third parties for specific urls.

Summary Security Bulletin: IBM Maximo Application Suite - Predict Component uses Requests is a HTTP library. Due to a URL parsing issue to third parties for specific urls. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2024-47081...

Security Bulletin: IBM Maximo Application Suite - Predict Component uses WebSphere Application Server could allow a remote attacker to bypass security restrcitions.

Summary Security Bulletin: IBM Maximo Application Suite - Predict Component uses WebSphere Application Server could allow a remote attacker to bypass security restrcitions. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2024-56339...

Security Bulletin: IBM Maximo Application Suite - Predict Component uses Pillow is a Python imaging library format due to writing into a buffer.

Summary Security Bulletin: IBM Maximo Application Suite - Predict Component uses Pillow is a Python imaging library format due to writing into a buffer.This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2025-48379 DESCRIPTION: Pillow is...

Security Bulletin: IBM Maximo Application Suite - Predict Component uses WebSphere Application Server are vulnerable to denial of service.

Summary Security Bulletin: IBM Maximo Application Suite - Predict Component uses WebSphere Application Server are vulnerable to denial of service.This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2025-36097 DESCRIPTION: IBM WebSphere...

Security Bulletin: IBM Maximo Application Suite - Predict Component uses urllib3 is a user-friendly HTTP client for Python.

Summary Security Bulletin: Security Bulletin: IBM Maximo Application Suite - Predict Component uses urllib3 is a user-friendly HTTP client for Python. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2025-50181 DESCRIPTION: urllib3 is...

Security Bulletin: Multiple security vulnerabilities are addressed with IBM Process Mining 2.0.3

Summary In addition to many updates of operating system level packages, the following security vulnerabilities are addressed with IBM Process Mining 2.0.3 Vulnerability Details CVEID:CVE-2025-58754 DESCRIPTION: Axios is a promise based HTTP client for the browser and Node.js. When Axios prior to...

Security Bulletin: Due to the use of Apache Tomcat, IBM ApplinX is vulnerable to multiple vulnerabilities (CVE-2025-52520, CVE-2025-53506 and CVE-2025-52434).

Summary Due to the use of Apache Tomcat, IBM ApplinX is vulnerable to multiple vulnerabilities CVE-2025-52520, CVE-2025-53506 and CVE-2025-52434. Apache Tomcat has been updated within IBM ApplinX in order to address the vulnerabilities. Vulnerability Details CVEID:CVE-2025-52520 DESCRIPTION: For...

Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2025-36099)

Summary IBM WebSphere Application Server is shipped as a component of Maximo Asset Management, Maximo Industry Solutions including Maximo for Nuclear Power, Maximo for Transportation, Maximo for Life Sciences, Maximo for Oil and Gas, and Maximo for Utilities, Maximo Adapter for Primavera,...

Security Bulletin: There is a vulnerability in commons-lang3-3.4.jar used by IBM Maximo Asset Management application (CVE-2025-48924)

Summary There is a vulnerability in commons-lang3-3.4.jarused by IBM Maximo Asset Management application CVE-2025-48924 Vulnerability Details CVEID:CVE-2025-48924 DESCRIPTION: Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with...

Security Bulletin: There is a vulnerability in commons-lang3-3.4.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2025-48924)

Summary There is a vulnerability in commons-lang3-3.4.jar used by IBM Maximo Manage application in IBM Maximo Application Suite. Vulnerability Details CVEID:CVE-2025-48924 DESCRIPTION: Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting wi...

Security Bulletin: IBM Engineering Lifecycle Management - Jazz Foundation is impacted by vulnerabilities in Apache Commons Compress

Summary Vulnerabilities have been identified in Apache Commons Compress, which is used in IBM Engineering Lifecycle Management - Jazz Foundation. Vulnerability Details CVEID:CVE-2024-25710 DESCRIPTION: Loop with Unreachable Exit Condition 'Infinite Loop' vulnerability in Apache Commons...

Security Bulletin: IBM Maximo Application Suite uses multiple third party dependencies which is vulnerable to CVEs.

Summary IBM Maximo Application Suite uses "eventlet-0.39.0-py3-none-any.whl, commons-lang3-3.17.0.jar, spring-core-6.2.10.jar" which is vulnerable to "CVE-2025-58068, CVE-2025-48924, CVE-2025-41249". This bulletin contains information regarding the vulnerability and how it is addressed...

Security Bulletin: IBM Truststore Manager uses urllib3-2.4.0-py3-none-any.whl and requests-2.32.3-py3-none-any.whl which is vulnerable to CVE-2025-50181 and CVE-2025-50182

Summary IBM Truststore Manager uses urllib3-2.4.0-py3-none-any.whl and requests-2.32.3-py3-none-any.whl which is vulnerable to CVE-2025-50181 and CVE-2025-50182. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2024-47081 DESCRIPTION:...

Security Bulletin: IBM Maximo Application Suite uses WebSphere Application Server Liberty V.25.0.0.2, flask-3.1.0-py3-none-any.whl form-data-2.5.1.tgz and golang.org/x/net which is vulnerable to multiple CVEs

Summary IBM Maximo Application Suite uses WebSphere Application Server Liberty V.25.0.0.2, flask-3.1.0-py3-none-any.whl form-data-2.5.1.tgz and golang.org/x/net which is vulnerable to CVE-2025-36097, CVE-2025-7783, CVE-2025-25193, CVE-2025-47278, CVE-2025-23184, CVE-2025-22872 and CVE-2024-56339...

Security Bulletin: IBM Maximo Application Suite uses multiple third party dependencies which is vulnerable to CVEs.

Summary IBM Maximo Application Suite uses spring-beans-6.2.9.jar, spring-context-6.1.14.jar, flask-3.1.0-py3-none-any.whl, kafka-clients-3.9.0.jar, cxf-core-3.6.7.jar, urllib3-1.26.20-py2.py3-none-any.whl, postgresql-42.7.5.jar, requests-2.32.3-py3-none-any.whl,commons-beanutils-1.9.4.jar which i...

Security Bulletin: IBM Sterling Connect:Direct Web Services vulnerable to spring-beans-6.2.3.jar (CVE-2025-41242)

Summary IBM Sterling Connect:Direct Web Services is vulnerable toPath Traversal Vulnerability in spring-beans-6.2.3. This has been addressed in new fixpacks available from Fix Central. Vulnerability Details CVEID:CVE-2025-41242 DESCRIPTION: Spring Framework MVC applications can be vulnerable to a...

Security Bulletin: IBM Sterling Connect:Direct Web Services is affected by a vulnerability in spring-security-core-6.4.3.jar (CVE-2025-41248)

Summary IBM Sterling Connect:Direct Web Services is vulnerable to Annotation detection mechanism may not correctly resolve annotations on methods in spring-security-core-6.4.3. This has been addressed in new fixpacks available from Fix Central. Vulnerability Details CVEID:CVE-2025-41248...

Security Bulletin: IBM Connect:Direct Web Services is affected by a PostgreSQL vulnerability (CVE-2025-49146)

Summary IBM Connect:Direct Web Services has addressed a PostgreSQL vulnerability. Vulnerability Details CVEID:CVE-2025-49146 DESCRIPTION: pgjdbc is an open source postgresql JDBC Driver. From 42.7.4 and until 42.7.7, when the PostgreSQL JDBC driver is configured with channel binding set to requir...

Security Bulletin: IBM Sterling Connect:Direct Web Services is affected by a vulnerability in spring-core-6.2.3.jar (CVE-2025-41249)

Summary IBM Sterling Connect:Direct Web Services is vulnerable to Annotation detection mechanism may not correctly resolve annotations on methods in spring-core-6.2.3. This has been addressed in new fixpacks available from Fix Central. Vulnerability Details CVEID:CVE-2025-41249 DESCRIPTION: The...

Security Bulletin: IBM Sterling Connect:Direct Web Services is affected by a vulnerability in spring-web-6.2.3.jar(CVE-2025-41234)

Summary IBM Sterling Connect:Direct Web Services is vulnerable to a reflected file download RFD attack in spring-web-6.2.3. This has been addressed in new fixpacks available from Fix Central. Vulnerability Details CVEID:CVE-2025-41234 DESCRIPTION: Description In Spring Framework, versions 6.0.x a...

Security Bulletin: AIX/VIOS is vulnerable to a memory corruption issue (CVE-2025-6965) due to RPM

Summary Vulnerability in RPM could allow an attacker to cause a memory corruption issue CVE-2025-6965. RPM is used by AIX for package management. Vulnerability Details CVEID:CVE-2025-6965 DESCRIPTION: There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate term...

Security Bulletin: DataStage on Cloud Pak for Data is vulnerable to an open redirect attack due to the Eclipse Jetty package (CVE-2024-6763)

Summary Eclipse Jetty is used by DataStage on Cloud Pak for Data as part of the server processing functionality. Vulnerability Details CVEID:CVE-2024-6763 DESCRIPTION: Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI,...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in tomcat-embed-core-10.1.42.jar

Summary IBM Watson Discovery Cartridge contains a vulnerable version of tomcat-embed-core-10.1.42.jar Vulnerability Details CVEID:CVE-2025-48989 DESCRIPTION: Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack. This issue affect...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in IBM SDK

Summary IBM Watson Discovery Cartridge contains a vulnerable version of IBM SDK Vulnerability Details CVEID:CVE-2025-50106 DESCRIPTION: Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: 2D. Supported versions that a...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in webrick-1.4.2.gem

Summary IBM Watson Discovery Cartridge contains a vulnerable version of webrick-1.4.2.gem Vulnerability Details CVEID:CVE-2025-6442 DESCRIPTION: Ruby WEBrick readheader HTTP Request Smuggling Vulnerability. This vulnerability allows remote attackers to smuggle arbitrary HTTP requests on affected...

Security Bulletin: IBM InfoSphere Data Replication VSAM for z/OS Remote Source is vulnerable to a stack-based buffer overflow

Summary IBM InfoSphere Data Replication VSAM for z/OS Remote Source is vulnerable to a stack-based buffer overflow, caused by improper bounds checking. A local user with access to the files storing CECSUB or CECRM on the container could overflow the buffer and execute arbitrary code on the system...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in urllib3-1.26.20-py2.py3-none-any.whl

Summary IBM Watson Discovery Cartridge contains a vulnerable version of urllib3-1.26.20-py2.py3-none-any.whl Vulnerability Details CVEID:CVE-2025-50181 DESCRIPTION: urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in eslint-config-prettier

Summary IBM Watson Discovery Cartridge contains a vulnerable version of eslint-config-prettier Vulnerability Details CVEID:CVE-2025-54313 DESCRIPTION: eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7 has embedded malicious code for a supply chain compromise. Installing an affected package...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in tomcat-embed-core-9.0.106.jar

Summary IBM Watson Discovery Cartridge contains a vulnerable version of tomcat-embed-core-9.0.106.jar Vulnerability Details CVEID:CVE-2025-53506 DESCRIPTION: Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that...

Security Bulletin:IBM SDK, Java Technology Edition Quarterly CPU - Jul 2025 - Includes Oracle July 2025 CPU

Summary There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Versions 8 and Java 17 that are used by Rational Software Architect Designer and Rational Software Architect Designer for Websphere Software. These issues were disclosed as part of the IBM SDK, Java Technology Editio...

Security Bulletin: Several Security Vulnerabilities have been discovered in IBM Security Verify Access and IBM Verify Identity Access products. (CVE-2025-36354, CVE-2025-36355, CVE-2025-363546)

Summary Security Vulnerabilities have been addressed in IBM Security Verify Access 10.0.9.0-IF3 and IBM Verify Identity Access 11.0.1.0-IF1. Vulnerability Details CVEID:CVE-2025-36355 DESCRIPTION: IBM Security Verify Access could allow a locally authenticated user to execute malicious scripts fro...

Security Bulletin: The following vulnerabilities that can affect IBM Storage Scale System are now included in 6.1.9.8 and 6.2.3.2

Summary The following vulnerabilities that can affect IBM Storage Scale System and could provide weaker than expected security are now fixed in 6.1.9.8 and 6.2.3.2. Vulnerability Details CVEID:CVE-2024-26934 DESCRIPTION: In the Linux kernel, the following vulnerability has been resolved: USB: cor...

Security Bulletin: The following vulnerabilities that can affect IBM Storage Scale System are now included in 6.1.9.8 and 6.2.3.1

Summary The following vulnerabilities that can affect IBM Storage Scale System and could provide weaker than expected security are now fixed in 6.1.9.8 and 6.2.3.1. Vulnerability Details CVEID:CVE-2024-26973 DESCRIPTION: In the Linux kernel, the following vulnerability has been resolved: fat: fix...

Security Bulletin: Multiple vulnerabilities in IBM Semeru Runtime affect Rational Business Developer

Summary There are multiple vulnerabilities in IBM Semeru Runtime used by Rational Business Developer. Rational Business Developer has provided fixes for the applicable CVEs. These issues were disclosed as part of the IBM Semeru Runtime Quarterly CPU - Jul 2025 - Includes OpenJDK July 2025 CPU...

Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Business Developer

Summary There are multiple vulnerabilities in IBM® SDK Java™ used by Rational Business Developer. Rational Business Developer has provided fixes for the applicable CVEs. These issues were disclosed as part of the IBM Java SDK and Runtime Environment updates in the Oracle July 2025 CPU...

Security Bulletin: Vulnerability in golang.org/x/crypto and idna affects IBM Db2 Data Management Console(CVE-2024-45337, CVE-2024-3651)

Summary golang.org/x/crypto and idna dependency packages is used by IBM Db2 Data Management Console . This bulletin describes the upgrades necessary to address the vulnerability. Vulnerability Details CVEID:CVE-2024-45337 DESCRIPTION: Applications and libraries which misuse...

Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses requests-2.32.3-py3-none-any.whl which is vulnerable to CVE-2024-47081

Summary Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses requests-2.32.3-py3-none-any.whl which is vulnerable to CVE-2024-47081 Vulnerability Details CVEID:CVE-2024-47081 DESCRIPTION: Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior...

Security Bulletin: IBM Transformation Extender Advanced is affected by unsafe Java deserialization.

Summary IBM Transformation Extender Advanced, also known as IBM Standards Processing Engine, is affected by unsafe Java deserialization. Vulnerability Details CVEID:CVE-2023-49886 DESCRIPTION: IBM Standards Processing Engine could allow a remote attacker to execute arbitrary code on the system,...

Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses form-data-4.0.1.tgz and form-data-4.0.3.tgz which are vulnerable to this CVE-2024-6345

Summary Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses form-data-4.0.1.tgz and form-data-4.0.3.tgz which are vulnerable to this CVE-2024-6345 Vulnerability Details CVEID:CVE-2025-7783 DESCRIPTION: Use of Insufficiently Random Values vulnerability in form-data...

Security Bulletin: Vulnerability in go package in nginx-controller affects IBM Db2 Data Management Console

Summary go package in nginx-controller open source library is used by IBM Db2 Data Management Console . This bulletin describes the upgrades necessary to address the vulnerability. Vulnerability Details CVEID:CVE-2023-24532 DESCRIPTION: An unspecified error with return an incorrect result in the...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in requests-2.32.3-py3-none-any.whl

Summary IBM Watson Discovery Cartridge contains a vulnerable version of requests-2.32.3-py3-none-any.whl Vulnerability Details CVEID:CVE-2024-47081 DESCRIPTION: Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties f...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in jackson-core-2.10.3.jar

Summary IBM Watson Discovery Cartridge contains a vulnerable version of jackson-core-2.10.3.jar Vulnerability Details CVEID:CVE-2025-49128 DESCRIPTION: Jackson-core contains core low-level incremental "streaming" parser and generator abstractions used by Jackson Data Processor. Starting in versio...