Security Bulletin: IBM InfoSphere Information Server is affected by a vulnerability in the Requests HTTP library (CVE-2024-47081)

Summary A vulnerability in the Requests HTTP library that is used by IBM InfoSphere Information Server was addressed. Vulnerability Details CVEID:CVE-2024-47081 DESCRIPTION: Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to...

Security Bulletin: IBM InfoSphere Information Server is affected by a vulnerability in Apache XML Graphics FOP (CVE-2024-28168)

Summary A vulnerability in Apache XML Graphics FOP that is used by IBM InfoSphere Information Server was addressed. Vulnerability Details CVEID:CVE-2024-28168 DESCRIPTION: Improper Restriction of XML External Entity Reference 'XXE' vulnerability in Apache XML Graphics FOP. This issue affects Apac...

Security Bulletin: IBM InfoSphere Information Server is affected by multiple vulnerabilities in Apache XML Security for Java.

Summary Multiple vulnerabilities in Apache XML Security for Java that is used by IBM InfoSphere Information Server were addressed. Vulnerability Details CVEID:CVE-2024-20945 DESCRIPTION: An unspecified vulnerability in Java SE related to the VM component could allow a local authenticated attacker...

Security Bulletin: IBM InfoSphere Information Server is affected by a vulnerability in Apache Commons (CVE-2025-48734)

Summary A vulnerability in Apache Commons that is used by IBM InfoSphere Information Server was addressed. Vulnerability Details CVEID:CVE-2025-48734 DESCRIPTION: Improper Access Control vulnerability in Apache Commons. A special BeanIntrospector class was added in version 1.9.2. This can be used...

Security Bulletin: IBM InfoSphere Information Server is affected by a vulnerability in the setuptools package (CVE-2025-47273)

Summary A vulnerability in the setuptools package that is used by IBM InfoSphere Information Server was addressed. Vulnerability Details CVEID:CVE-2025-47273 DESCRIPTION: setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversa...

Security Bulletin: IBM InfoSphere Information Server is affected by a vulnerability in the Spring framework (CVE-2025-22233)

Summary A vulnerability in the Spring framework that is used by IBM InfoSphere Information Server was addressed. Vulnerability Details CVEID:CVE-2025-22233 DESCRIPTION: CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patterns and for reques...

Security Bulletin: IBM InfoSphere Information Server is affected by a vulnerability in Eclipse Jetty (CVE-2025-5115)

Summary A vulnerability in Eclipse Jetty that is used by IBM InfoSphere Information Server was addressed. Vulnerability Details CVEID:CVE-2025-5115 DESCRIPTION: In Eclipse Jetty, versions =9.4.57, =10.0.25, =11.0.25, =12.0.21, =12.1.0.alpha2, an HTTP/2 client may trigger the server to send...

Security Bulletin: IBM InfoSphere Information Server is affected by a vulnerability in Apache Wink (CVE-2010-2245)

Summary A vulnerability in Apache Wink that is used by IBM InfoSphere Information Server was addressed. Vulnerability Details CVEID:CVE-2010-2245 DESCRIPTION: XML External Entity XXE vulnerability in Apache Wink 1.1.1 and earlier allows remote attackers to read arbitrary files or cause a denial o...

Security Bulletin: IBM InfoSphere Information Server is affected by an improper input validation vulnerability in Apache POI (CVE-2025-31672)

Summary An improper input validation vulnerability in Apache POI that is used by InfoSphere Information Server was addressed. Vulnerability Details CVEID:CVE-2025-31672 DESCRIPTION: Improper Input Validation vulnerability in Apache POI. The issue affects the parsing of OOXML format files like xls...

Security Bulletin: IBM InfoSphere Information Server is affected by a vulnerability in Netty (CVE-2025-25193)

Summary A vulnerability in Netty that is used by IBM InfoSphere Information Server was addressed. Vulnerability Details CVEID:CVE-2025-25193 DESCRIPTION: Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsaf...

Security Bulletin: IBM InfoSphere Information Server is affected by multiple vulnerabilities in VMware Tanzu Spring Framework

Summary Multiple vulnerabilities in VMware Tanzu Spring Framework that is used by InfoSphere Information Server were addressed. Vulnerability Details CVEID:CVE-2024-38816 DESCRIPTION: Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerabl...

Security Bulletin: Vulnerabilities in Angular might affect IBM Storage Defender Copy Data Management.

Summary IBM Storage Defender Copy Data Management can be affected by vulnerabilities in Angular. Vulnerabilities include a large carefully-crafted input, which can result in catastrophic backtracking and Cross-site Scripting XSS due to insecure page caching in the Internet Explorer browser as...

Security Bulletin: Buffer overflow, uncontrolled recursion, and other vulnerabilities might affect IBM Storage Defender - Resiliency Service

Summary IBM Storage Defender - Resiliency Service is vulnerable to buffer overflow, uncontrolled recursion, and other. The vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2025-7969 DESCRIPTION: Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site...

Security Bulletin: IBM WebSphere Application Server is affected by a denial of service (CVE-2025-36099)

Summary IBM WebSphere Application Server is affected by a denial of service vulnerability. Vulnerability Details CVEID:CVE-2025-36099 DESCRIPTION: IBM WebSphere Application Server is vulnerable to a denial of service, caused by sending a specially-crafted request. A privileged user could exploit...

Security Bulletin: IBM Cloud Pak for Data is vulnerable to denial of service attacks due to http2 ( CVE-2023-44487 )

Summary Potential vulnerabilities in http2 package CVE-2023-44487 has been identified that may affect IBM Cloud Pak for Data. Vulnerability Details CVEID:CVE-2023-44487 DESCRIPTION: The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset...

Security Bulletin: IBM App Connect Enterprise Toolkit and IBM Integration Bus for z/OS Toolkit are vulnerable to Improper Restriction of XML External Entity Reference due to Eclipse JGit (CVE-2025-4949)

Summary IBM App Connect Enterprise Toolkit and IBM Integration Bus for z/OS Toolkit are vulnerable to Improper Restriction of XML External Entity Reference due to Eclipse JGit. Vulnerability Details CVEID:CVE-2025-4949 DESCRIPTION: In Eclipse JGit versions 7.2.0.202503040940-r and older, the...

Security Bulletin: IBM App Connect Enterprise is vulnerable to multiple vulnerabilities due to IBM Semeru Runtime ( CVE-2025-50059, CVE-2025-30761 & CVE-2025-30754 )

Summary IBM App Connect Enterprise is vulnerable to Improper Access Control and Deserialization of Untrusted Data due to IBM Semeru Runtime. Vulnerability Details CVEID:CVE-2025-50059 DESCRIPTION: Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition produ...

Security Bulletin: Security vulnerability in IBM Business Automation Manager Open Editions in axios library.

Summary Vulnerable axios library was addressed updated in IBM Business Automation Manager Open Editions 9.3.0. Vulnerability Details CVEID:CVE-2025-58754 DESCRIPTION: Axios is a promise based HTTP client for the browser and Node.js. When Axios prior to version 1.11.0 runs on Node.js and is given ...

Security Bulletin: Multiple security vulnerabilities in IBM Business Automation Manager Open Editions.

Summary Multiple vulnerabilities were addressed in IBM Business Automation Manager Open Editions 9.3.0. Vulnerability Details CVEID:CVE-2025-48989 DESCRIPTION: Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack. This issue...

Security Bulletin: IBM Cloud Kubernetes Service is affected by a Kubernetes API server security vulnerability (CVE-2025-5187)

Summary IBM Cloud Kubernetes Service is affected by a security vulnerability in the Kubernetes API server that may allow node users to delete their corresponding node object by patching themselves with an OwnerReference to a cluster-scoped resource. CVE-2025-5187. Vulnerability Details CVEID:...

Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server, which is a required product for IBM Tivoli Netcool Configuration Manager (CVE-2025-33142)

Summary IBM WebSphere Application Server is a required product for IBM Tivoli Netcool Configuration Manager version 6.4.2. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. Vulnerability Details Refer to the security...

Security Bulletin: Multiple Vulnerabilities affects IBM License Metric Tool v9.

Summary Multiple vulnerabilities have been remediated in components used by IBM License Metric Tool. Vulnerability Details CVEID:CVE-2025-36352 DESCRIPTION: IBM License Metric Tool is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary...

Security Bulletin: Requests before 2.32.4 may leak .netrc credentials via malicious URLs due to a URL parsing flaw

Summary Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc file can...

Security Bulletin:IBM Event Endpoint Management is vulnerable to Sensitive Information Leakage and Request Smuggling (CVE-2025-4673,CVE-2025-22871)

Summary Operator of IBM Event Endpoint Management is vulnerable to Sensitive Information Leakage and Request Smuggling due to apache HTTP pomponents. IBM Event Endpoint Management uses HTTP components to expose secure event APIs via its Event Gateway, enabling client applications to interact with...

Security Bulletin: IBM Event Endpoint Management is vulnerable to Remote Code Execution and Server-Side Request Forgery attacks (CVE-2025-27818,CVE-2025-27817)

Summary Operator of IBM Event Endpoint Management is vulnerable to remote code execution and server-side request forgery due to unsafe deserialization and misconfigured OAuthBearer endpoints in SASL JAAS configuration. Vulnerability Details CVEID:CVE-2025-27818 DESCRIPTION: A possible security...

Security Bulletin: IBM Event Endpoint Management is vulnerable to HTTP Parameter Pollution (HPP) attack (CVE-2025-7783)

Summary Operator of IBM Event Endpoint Management is vulnerable to an HTTP Parameter Pollution HPP attack due to the use of random values in the form-data module. This vulnerability affects how data from HTML forms is processed, particularly during form submission or when interacting with event...

Security Bulletin: IBM Event Processing is vulnerable due to Incorrect Default Permissions (CVE-2025-30706)

Summary IBM Event Processing is vulnerable due to incorrect default permissions in the MySQL Connectors product specifically, Connector/J. This connector is used in IBM Event Processing to enable Java-based components to interact with MySQL databases for storing and retrieving event-related data...

Security Bulletin: IBM Event Processing is vulnerable to HTTP Parameter Pollution (HPP) attack (CVE-2025-7783).

Summary IBM Event Processing is vulnerable to an HTTP Parameter Pollution HPP attack due to the use of random values in the form-data module. This vulnerability affects how data from HTML forms is processed, particularly during form submission or when interacting with event listeners tied to form...

Security Bulletin:IBM Event Streams is vulnerable to Regular Expression Denial of Service (ReDoS) ( CVE-2025-1302).

Summary IBM Event Streams is vulnerable to Regular Expression Denial of Service ReDoS caused by Inefficient Regular Expression Complexity. This issue affects JavaScript code that is compiled using certain versions of Babel . Babel is a JavaScript transcompiler used for converting modern JavaScrip...

Security Bulletin:IBM Event Streams is vulnerable to HTTP Parameter Pollution (HPP) attack (CVE-2025-7783).

Summary IBM Event Streams is vulnerable to an HTTP Parameter Pollution HPP attack due to the use of random values in the form-data module. This vulnerability affects how data from HTML forms is processed, particularly during form submission or when interacting with event listeners tied to form...

Security Bulletin:urllib3 before 2.5.0 fails to properly enforce redirect controls in PoolManager and Pyodide environments, exposing apps to SSRF and open redirect risks

Summary urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a PoolManager and specifying retries in a way that disable redirects. By default, requests and botocore users are not affected. An application...

Security Bulletin: Axios before 1.8.2 allows SSRF and credential leakage when using absolute URLs despite baseURL setting

Summary axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if ⁠baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This...

Security Bulletin: Axios exposes confidential XSRF-TOKEN in all requests via X-XSRF-TOKEN header

Summary An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information. Vulnerability Details CVEID:CVE-2023-45857 DESCRIPTIO...

Security Bulletin: Axios before 1.7.8 uses setAttribute('href') in isURLSameOrigin.js, raising potential security concern

Summary In axios before 1.7.8, lib/helpers/isURLSameOrigin.js does not use a URL object when determining an origin, and has a potentially unwanted setAttribute'href',href call. NOTE: some parties feel that the code change only addresses a warning message from a SAST tool and does not fix a...

Security Bulletin: urllib3 Proxy-Authorization header only applies with ProxyManager, not direct requests

Summary urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with ProxyManager, the Proxy-Authorization header is only sent to the configured proxy, as expected. However, when sending HTTP requests without using urllib3's proxy support, it's possible to...

Security Bulletin: Vulnerability in certifi, flask, idna, urllib3 and axios might affect IBM Storage Defender Sentinel Anomaly Scan Engine.

Summary IBM Storage Defender Sentinel Anomaly Scan Engine can be affected by vulnerabilities in certifi, flask, idna, urllib3 and axios. Vulnerabilities include allowing an attacker to cause a denial of service, obtain sensitive information and gain access to launch further attacks on the systems...

Security Bulletin: A vulnerability has been identified in OPUPI0 AMQP/MQTT (All versions < V5.30).

Summary A vulnerability has been identified in OPUPI0 AMQP/MQTT All versions V5.30. Vulnerability Details CVEID:CVE-2024-31486 DESCRIPTION: A vulnerability has been identified in OPUPI0 AMQP/MQTT All versions V5.30. The affected devices stores MQTT client passwords without sufficient protection o...

Security Bulletin: Passing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError.

Summary Passing a heavily nested list to sqlparse.parse leads to a Denial of Service due to RecursionError. Vulnerability Details CVEID:CVE-2024-4340 DESCRIPTION: Passing a heavily nested list to sqlparse.parse leads to a Denial of Service due to RecursionError. CWE:CWE-674: Uncontrolled Recursio...

Security Bulletin: IBM i is affected by a security configuration vulnerability in IBM WebSphere Application Server Liberty [CVE-2024-56339]

Summary IBM WebSphere Application Server Liberty for IBM i is vulnerable to bypassing of security restrictions caused by failure to honor the security configuration CVE-2024-56339 as described in the vulnerability details section. Vulnerability Details CVEID:CVE-2024-56339 DESCRIPTION: IBM...

Security Bulletin: Multiple vulnerabilities may affect IBM Decision Optimization for IBM Cloud Pak for Data (CVE-2025-5889, CVE-2025-7339)

Summary There are multiple vulnerabilities in brace-expansion and on-headers used by IBM Decision Optimization for IBM Cloud Pak for Data. IBM Decision Optimization for IBM Cloud Pak for Data has addressed the applicable CVEs. Vulnerability Details CVEID:CVE-2025-5889 DESCRIPTION: A vulnerability...

Security Bulletin: Vulnerabilities in Linux Kernel might affect IBM Storage Defender Copy Data Management

Summary IBM Storage Defender Copy Data Management can be affected by vulnerabilities in Linux Kernel. A local attacker could exploit this vulnerability to cause a denial of service Vulnerability Details IBM X-Force ID: 383938 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused ...

Security Bulletin: Vulnerabilities in Marked, Minimatch and Logback might affect IBM Storage Defender Copy Data Management

Summary IBM Storage Defender Copy Data Management can be affected by vulnerabilities in Marked, Minimatch and Logback. Vulnerabilities include causing regular expression denial of service ReDoS, allows an attacker to mount a Denial-Of-Service attack by sending poisoned data, and allowing to execu...

Security Bulletin: Vulnerabilities in Bouncy Castle, Eclipse JGit and Node.js diff might affect IBM Storage Defender Copy Data Management

Summary IBM Storage Defender Copy Data Management can be affected by vulnerabilities in Bouncy Castle, Eclipse JGit and Node.js diff. Vulnerabilities include vulnerable to padding oracle attack, allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistic...

Security Bulletin: Vulnerabilities in Jettison, Hawk and tim-newlines might affect IBM Storage Defender Copy Data Management.

Summary IBM Storage Defender Copy Data Management can be affected by vulnerabilities in Jettison, Hawk and tim-newlines. Vulnerabilities include causing a denial of service attack, causing a Denial of Service DoS via crafted JSON data, allows attackers to cause a Denial of Service DoS via a craft...

Security Bulletin: Vulnerabilities in Netty-codec and Netty-handler might affect IBM Storage Defender Copy Data Management

Summary IBM Storage Defender Copy Data Management can be affected by vulnerabilities in Netty-codec and Netty-handler. Vulnerabilities include an incorrect validation of special crafted packet via SslHandler can lead to a native crash, the SniHandler can allocate up to 16MB of heap for each chann...

Security Bulletin: Vulnerabilities in Apache Tomcat and form-data might affect IBM Storage Defender Copy Data Management.

Summary IBM Storage Defender Copy Data Management can be affected by vulnerabilities in Apache Tomcat and form-data. Vulnerabilities include a memory leak which result in a denial of service, possible for a specially crafted request to bypass some rewrite rules which could be bypassed security...

Security Bulletin: IBM i is affected by denial of service vulnerabilities in IBM WebSphere Application Server Liberty [CVE-2025-36097, CVE-2025-36047, CVE-2025-48976]

Summary IBM WebSphere Application Server Liberty for IBM i is vulnerable to a denial of service by sending a specially crafted request that causes the server to consume excessive memory resources CVE-2025-36097, CVE-2025-36047 and by allocation of resources for multipart headers with insufficient...

Security Bulletin: Multiple vulnerabilities in IBM Aspera HTTP Gateway

Summary Multiple vulnerabilities were addressed in IBM Aspera HTTP Gateway version 2.3.2. Vulnerability Details CVEID:CVE-2025-36274 DESCRIPTION: IBM Aspera HTTP Gateway stores sensitive information in clear text in easily obtainable files which can be read by an unauthenticated user. CWE:CWE-312...

Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in llama_index-0.12.29-py3-none-any.whl

Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of llamaindex-0.12.29-py3-none-any.whl Vulnerability Details CVEID:CVE-2025-1793 DESCRIPTION: Multiple vector store integrations in run-llama/llamaindex version v0.12.21 have SQL injection vulnerabilities. These vulnerabiliti...

Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in jsonpath-plus-10.2.0.tgz

Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of jsonpath-plus-10.2.0.tgz Vulnerability Details CVEID:CVE-2025-1302 DESCRIPTION: Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution RCE due to improper input sanitization. An attacke...