Security Bulletin: Resource Exhaustion and Memory Leak in Multer Due to Improper Stream Handling (Fixed in 2.0.0), affects watsonx.data

Summary Multer is a node.js middleware for handling multipart/form-data. Versions prior to 2.0.0 are vulnerable to a resource exhaustion and memory leak issue due to improper stream handling. When the HTTP request stream emits an error, the internal busboy stream is not closed, violating Node.js...

Security Bulletin: Vulnerability in pillow affects IBM watsonx Orchestrate with watsonx Assistant Cartridge

Summary IBM watsonx Orchestrate with watsonx Assistant Cartridge contains a vulnerable version of pillow Vulnerability Details CVEID:CVE-2025-48379 DESCRIPTION: Pillow is a Python imaging library. In versions 11.2.0 to before 11.3.0, there is a heap buffer overflow when writing a sufficiently lar...

Security Bulletin: IBM WebSphere Application Server Liberty could provide weaker than expected security due to crypto.js (CVE-2020-36732)

Summary A vulnerability in crypto.js library affects IBM WebSphere Application Server Liberty with the openidConnectServer-1.0 feature enabled. Vulnerability Details CVEID:CVE-2020-36732 DESCRIPTION: The crypto-js package before 3.2.1 for Node.js generates random numbers by concatenating the stri...

Security Bulletin: Vulnerabilities in setuptools affects IBM watsonx Orchestrate with watsonx Assistant Cartridge

Summary Potential vulnerability in setuptools has been identified that affects IBM watsonx Orchestrate with watsonx Assistant Cartridge - UAB Component. The vulnerability has been addressed. Refer to details for additional information. Vulnerability Details CVEID:CVE-2025-47273 DESCRIPTION:...

Security Bulletin: Multiple vulnerabilities affect IBM watsonx Orchestrate with watsonx Assistant Cartridge

Summary Potential vulnerabilities have been identified that affect IBM watsonx Orchestrate with watsonx Assistant Cartridge - UAB Component. The vulnerabilities have been addressed. Refer to details for additional information. Vulnerability Details CVEID:CVE-2025-23166 DESCRIPTION: The C++ method...

Security Bulletin: Vulnerabilities in quarkus-resteasy affects IBM watsonx Orchestrate with watsonx Assistant Cartridge

Summary Potential vulnerability in quarkus-resteasy has been identified that affects IBM watsonx Orchestrate with watsonx Assistant Cartridge - UAB Component. The vulnerability has been addressed. Refer to details for additional information. Vulnerability Details CVEID:CVE-2025-1634 DESCRIPTION: ...

Security Bulletin: Vulnerabilities in tar-fs affects IBM watsonx Orchestrate with watsonx Assistant Cartridge

Summary Potential vulnerability in tar-fs has been identified that affects IBM watsonx Orchestrate with watsonx Assistant Cartridge - UAB Component. The vulnerability has been addressed. Refer to details for additional information. Vulnerability Details CVEID:CVE-2025-48387 DESCRIPTION: tar-fs...

Security Bulletin: Vulnerabilities in Multer affects IBM watsonx Orchestrate with watsonx Assistant Cartridge

Summary Potential vulnerability in Multer has been identified that affects IBM watsonx Orchestrate with watsonx Assistant Cartridge - UAB Component. The vulnerability has been addressed. Refer to details for additional information. Vulnerability Details CVEID:CVE-2025-47935 DESCRIPTION: Multer is...

Security Bulletin: Multiple vulnerabilities found in IBM Security Verify Information Queue

Summary Multiple security vulnerabilities in the third-party libraries have been addressed in IBM Security Verify Information Queue ISIQ Vulnerability Details CVEID:CVE-2023-40167 DESCRIPTION: Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and...

Security Bulletin: IBM Db2 used by IBM Security Verify Governance has multiple vulnerabilities

Summary IBM Security Verify Governance ISVG uses IBM Db2 database. Information about security vulnerabilities affecting IBM Db2 has been published in security bulletins. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions...

Security Bulletin: IBM WebSphere Application Server and WebSphere Application Server Liberty are affected by a denial of service due to Apache Commons FileUpload (CVE-2025-48976)

Summary There is a vulnerability in Apache Commons FileUpload which affects IBM WebSphere Application Server traditional and affects IBM WebSphere Application Server Liberty with the servlet-3.0, servlet-3.1, servlet-4.0, servlet-5.0 or servlet-6.0 feature enabled. Vulnerability Details...

Security Bulletin: IBM QRadar Investigation Assistant app for IBM QRadar SIEM includes components with known vulnerabilities

Summary The product includes vulnerable components e.g., framework libraries that may be identified and exploited with automated tools. IBM QRadar Investigation Assistant app for IBM QRadar SIEM has addressed the applicable CVEs. Vulnerability Details CVEID:CVE-2025-7783 DESCRIPTION: Use of...

Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition for IBM Content Collector for SAP Applications

Summary Multiple Vulnerabilities were disclosed as part of the Oracle April 2025 Critical Patch Update. Vulnerability Details CVEID:CVE-2025-21587 DESCRIPTION: An unspecified vulnerability in Java SE related to the Server: DDL component could allow a remote attacker to cause high confidentiality...

Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Security Guardium Key Lifecycle Manager (SKLM/GKLM)

Summary WebSphere Application Server is shipped as a component of IBM Security Guardium Key Lifecycle Manager SKLM/GKLM. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin. Vulnerability Details Refer to the security bulleti...

Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect IBM WebSphere Application Server and IBM WebSphere Liberty shipped with IBM Security Guardium Key Lifecycle Manager (SKLM/GKLM)

Summary IBM WebSphere Application Server and IBM WebSphere Liberty is shipped as a component of IBM Security Guardium Key Lifecycle Manager SKLM/GKLM. Information about multiple security vulnerabilities affecting IBM WebSphere Application Server and IBM WebSphere Liberty has been published in a...

Security Bulletin: Security vulnerabilities due to SQLite3 (CVE-2025-6965), pam_namespace (CVE-2025-6020), systemd-coredump (CVE-2025-4598) and Perl (CVE-2025-40909) packages shipped with IBM CICS TX Advanced.

Summary Security vulnerabilities due to SQLite3 CVE-2025-6965, pamnamespace CVE-2025-6020, systemd-coredump CVE-2025-4598 and Perl CVE-2025-40909 packages shipped with IBM CICS TX Advanced. The package versions have been updated. Vulnerability Details CVEID:CVE-2025-4598 DESCRIPTION: A...

Security Bulletin: Vulnerabilities in IBM WebSphere Liberty that is shipped with IBM CICS TX Advanced (CVE-2025-36097 and CVE-2024-56339).

Summary There are vulnerabilities in IBM WebSphere Liberty that is shipped with IBM CICS TX Advanced CVE-2025-36097 and CVE-2024-56339. An update to IBM CICS TX Advanced has been released to address these. Vulnerability Details CVEID:CVE-2025-36097 DESCRIPTION: IBM WebSphere Application Server 9....

Security Bulletin: Security vulnerabilities in Java SE shipped with IBM TXSeries for Multiplatforms (CVE-2025-50106, CVE-2025-30749, CVE-2025-30761, CVE-2025-30754)

Summary There are multiple vulnerabilities in the Java SE version shipped with IBM TXSeries for Multiplatforms CVE-2025-50106, CVE-2025-30749, CVE-2025-30761, CVE-2025-30754. An update to IBM TXSeries for Multiplatforms has been released to address these vulnerabilities. Vulnerability Details...

Security Bulletin: Security vulnerabilities in Java SE shipped with IBM CICS TX Advanced (CVE-2025-50106, CVE-2025-30749, CVE-2025-30761, CVE-2025-30754)

Summary There are multiple vulnerabilities in the Java SE version shipped with IBM CICS TX Advanced CVE-2025-50106, CVE-2025-30749, CVE-2025-30761, CVE-2025-30754. An update to IBM CICS TX Advanced has been released to address these vulnerabilities. Vulnerability Details CVEID:CVE-2025-50106...

Security Bulletin: Security vulnerabilities in Java SE shipped with IBM CICS TX Standard (CVE-2025-50106, CVE-2025-30749, CVE-2025-30761, CVE-2025-30754)

Summary There are multiple vulnerabilities in the Java SE version shipped with IBM CICS TX Standard CVE-2025-50106, CVE-2025-30749, CVE-2025-30761, CVE-2025-30754. An update to IBM CICS TX Standard has been released to address these vulnerabilities. Vulnerability Details CVEID:CVE-2025-50106...

Security Bulletin: IBM SPSS Analytic Server is affected by multiple vulnerabilities in Apache Commons.

Summary IBM SPSS Analytic Server is affected by multiple vulnerabilities in Apache Commons. This has been addressed in the remediation section. Vulnerability Details CVEID:CVE-2025-48734 DESCRIPTION: Improper Access Control vulnerability in Apache Commons. A special BeanIntrospector class was add...

Security Bulletin: Vulnerabilities in IBM WebSphere Liberty that is shipped with IBM CICS TX Standard (CVE-2025-36097 and CVE-2024-56339)

Summary There are vulnerabilities in IBM WebSphere Liberty that is shipped with IBM CICS TX Standard CVE-2025-36097 and CVE-2024-56339. An update to IBM CICS TX Standard has been released to address these. Vulnerability Details CVEID:CVE-2025-36097 DESCRIPTION: IBM WebSphere Application Server 9....

Security Bulletin: Vulnerabilities in IBM WebSphere Liberty that is shipped with IBM TXSeries for Multiplatforms (CVE-2025-36097 and CVE-2024-56339).

Summary There are vulnerabilities in IBM WebSphere Liberty that is shipped with IBM TXSeries for Multiplatforms CVE-2025-36097 and CVE-2024-56339. An update to IBM TXSeries for Multiplatforms has been released to address these. Vulnerability Details CVEID:CVE-2025-36097 DESCRIPTION: IBM WebSphere...

Security Bulletin: Insufficient URI Authority Validation in Eclipse Jetty's HttpURI Class Enables Open Redirect and SSRF Risks, affects watsonx.data

Summary Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing. The HttpURI class does insufficient validation on the authority segment of a URI. However the behaviour of HttpURI differs from the common...

Security Bulletin: HTTP Request/Response Splitting via Improper CRLF Neutralization in Payara Server and Micro (Grizzly, REST Modules), affects watsonx.data

Summary Improper Neutralization of CRLF Sequences in HTTP Headers 'HTTP Request/Response Splitting' vulnerability in Payara Platform Payara Server Grizzly, REST Management Interface modules, Payara Platform Payara Micro Grizzly modules allows Manipulating State, Identity Spoofing.This issue affec...

Security Bulletin: Incorrect Handling of Unquoted Attributes Ending with Slash in Tokenizer Causes Misparsed Self-Closing Tags in Foreign Content affects watsonx.data

Summary The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character / as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in conten...

Security Bulletin: Improper Input Validation in Apache POI OOXML Parsing Allows Ambiguity with Duplicate ZIP Entries (Fixed in poi-ooxml 5.4.0) affects watsonx.data

Summary Improper Input Validation vulnerability in Apache POI. The issue affects the parsing of OOXML format files like xlsx, docx and pptx. These file formats are basically zip files and it is possible for malicious users to add zip entries with duplicate names including the path in the zip. In...

Security Bulletin: SSL Certificate Hostname Verification Bypass in Apache Commons HttpClient 3.x Allowing MITM Attacks affects watsonx.data

Summary Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service FPS merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name CN or subjectAltName field of the X.509 certificate, which allows...

Security Bulletin: Arbitrary Code Execution via JaninoEventEvaluator in Logback-Core (Versions 0.1–1.3.14, 1.4.0–1.5.12) through Malicious Configuration or Environment Variable Injection affects watsonx.data

Summary ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core upto including version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 in Java applications allows attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before...

Security Bulletin: SSRF Vulnerability in Logback's SaxEventRecorder via Malicious DOCTYPE in XML Configuration (Versions 0.1–1.3.14, 1.4.0–1.5.12) affects watsonx.data

Summary Server-Side Request Forgery SSRF in SaxEventRecorder by QOS.CH logback version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 on the Java platform, allows an attacker to forge requests by compromising logback configuration files in XML. The attacks involves the modification of DOCTYPE declaration in X...

Security Bulletin: Vulnerabilities in glib2 library (CVE-2024-52533, CVE-2025-4373) affect Power HMC.

Summary The glib2 library is used by Power Hardware Management Console HMC. HMC has addressed the applicable CVEs. Vulnerability Details CVEID:CVE-2024-52533 DESCRIPTION: gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-one error and resultant buffer overflow because SOCKS4CONNMSGLEN...

Security Bulletin: Vulnerabilities in libxml2 library (CVE-2025-6021, CVE-2025-49794, CVE-2025-49796) affect Power HMC.

Summary The libxml2 library is used by Power Hardware Management Console HMC. HMC has addressed the applicable CVEs. Vulnerability Details CVEID:CVE-2025-6021 DESCRIPTION: A flaw was found in libxml2's xmlBuildQName function, where integer overflows in buffer size calculations can lead to a...

Security Bulletin:IBM WebSphere Application Server Liberty shipped with IBM OpenPages is vulnerable to a denial of service due to Netty (CVE-2025-25193)

Summary IBM WebSphere Application Server Liberty is shipped as a supporting program of IBM OpenPages. Information about a denial of service due to Netty vulnerability affecting IBM WebSphere Application Server Liberty has been published in a security bulletin. These products have addressed the...

Security Bulletin:IBM WebSphere Application Server Liberty shipped with IBM OpenPages is vulnerable to a denial of service due to Apache CXF (CVE-2025-23184)

Summary IBM WebSphere Application Server Liberty is shipped as a supporting program of IBM OpenPages. Information about a denial of service due to Apache CXF vulnerability affecting IBM WebSphere Application Server Liberty has been published in a security bulletin. These products have addressed t...

Security Bulletin: IBM Jazz for Service Management is vulnerable to "cookiesEnabled" cookie not sent over SSL

Summary IBM Jazz for Service Management is vulnerable to "cookiesEnabled" cookie not sent over SSL CVE-2025-36011. Vulnerability Details CVEID:CVE-2025-36011 DESCRIPTION: IBM Jazz for Service Management does not set the secure attribute on authorization tokens or session cookies. Attackers may be...

Security Bulletin: Vulnerability in langchain_core affects IBM watsonx Orchestrate with watsonx Assistant Cartridge

Summary IBM watsonx Orchestrate with watsonx Assistant Cartridge contains a vulnerable version of langchaincore Vulnerability Details CVEID:CVE-2025-46059 DESCRIPTION: langchain-ai v0.3.51 was discovered to contain an indirect prompt injection vulnerability in the GmailToolkit component. This...

Security Bulletin: IBM Storage Protect Server is vulnerable to authorization bypass attack due to built-in admin account (CVE-2025-3319)

Summary The IBM Storage Protect server contains a built-in admin account which is vulnerable to an authorization bypass attack by using custom client. Vulnerability Details CVEID:CVE-2025-3319 DESCRIPTION: IBM Spectrum Protect Server could allow attacker to bypass authentication due to improper...

Security Bulletin: Vulnerability in sudo library (CVE-2025-32462) affects Power HMC.

Summary The sudo library is used by Power Hardware Management Console HMC. HMC has addressed the applicable CVE. Vulnerability Details CVEID:CVE-2025-32462 DESCRIPTION: Sudo before 1.9.17p1, when used with a sudoers file that specifies a host that is neither the current host nor ALL, allows liste...

Security Bulletin: Vulnerability in pam library (CVE-2025-6020) affects Power HMC.

Summary The pam library is used by Power Hardware Management Console HMC. HMC has addressed the applicable CVE. Vulnerability Details CVEID:CVE-2025-6020 DESCRIPTION: A flaw was found in linux-pam. The module pamnamespace may use access user-controlled paths without proper protection, allowing...

Security Bulletin: Vulnerability in libxml2 library (CVE-2025-32414) affects Power HMC.

Summary The libxml2 library is used by Power Hardware Management Console HMC. HMC has addressed the applicable CVE. Vulnerability Details CVEID:CVE-2025-32414 DESCRIPTION: In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API Python bindings...

Security Bulletin: Vulnerability in libxslt library (CVE-2023-40403) affects Power HMC.

Summary The libxslt library is used by Power Hardware Management Console HMC. HMC has addressed the applicable CVE. Vulnerability Details CVEID:CVE-2023-40403 DESCRIPTION: The issue was addressed with improved memory handling. This issue is fixed in macOS Ventura 13.6, tvOS 17, iOS 16.7 and iPadO...

Security Bulletin: Vulnerabilities in libsoup library (CVE-2025-2784, CVE-2025-4948, CVE-2025-32049, CVE-2025-32914) affect Power HMC.

Summary The libsoup library is used by Power Hardware Management Console HMC. HMC has addressed the applicable CVEs. Vulnerability Details CVEID:CVE-2025-2784 DESCRIPTION: A flaw was found in libsoup. The package is vulnerable to a heap buffer over-read when sniffing content via the...

Security Bulletin: SPSS Collaboration and Deployment Services is affected by vulnerability in Apache Commons (CVE-2025-48924)

Summary SPSS Collaboration and Deployment Services is affected by vulnerability in Apache Commons CVE-2025-48924. This has been addressed in the remediation section. Vulnerability Details CVEID:CVE-2025-48924 DESCRIPTION: Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue...

Security Bulletin: Red Hat OpenShift on IBM Cloud is affected by a cri-o security vulnerability (CVE-2024-8676)

Summary Red Hat OpenShift on IBM Cloud is affected by a security vulnerability that may allow a malicious user to trick cri-o into restoring a pod that doesn't have CVE-2024-8676 Vulnerability Details CVEID: CVE-2024-8676 Description: A vulnerability was found in CRI-O, where it can be requested ...

Security Bulletin: IBM QRadar App SDK for IBM QRadar SIEM includes components with known vulnerabilities

Summary The product includes vulnerable components e.g., framework libraries that may be identified and exploited with automated tools. IBM has addressed the vulnerabilities. This product is only used by IBM QRadar SIEM app developers and external business partners and is not relevant for users o...

Security Bulletin: IBM Maximo Application Suite - Monitor Component is vulnerable to tar-fs-1.16.4.tgz CVE-2025-48387

Summary IBM Maximo Application Suite - Monitor Component is vulnerable to tar-fs-1.16.4.tgz CVE-2025-48387. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2025-48387 DESCRIPTION: tar-fs provides filesystem bindings for tar-stream. Versio...

Security Bulletin: Multiple Vulnerabilities in IBM Concert Software.

Summary Multiple vulnerabilities were addressed in IBM Concert Software version 2.0.0 Vulnerability Details CVEID:CVE-2024-35195 DESCRIPTION: Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests Session, if the first request is made with verify=False to disable cer...

Security Bulletin: Multiple vulnerabilities in IBM MQ Operator and Queue manager container images

Summary Multiple vulnerabilities were addressed in IBM MQ Operator and Queue manager container images Vulnerability Details CVEID:CVE-2025-32415 DESCRIPTION: In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer under-read. To exploi...

Security Bulletin: IBM Engineering Lifecycle Management - Jazz Foundation is impacted by a remote attack to the root directory which results in a Denial of Service (DoS) condition

Summary IBM Engineering Lifecycle Management could allow an unauthenticated remote attacker to update server configuration files which would allow them to perform unauthorized actions, subsequently leading to a Denial of Service condition. The associated CVE is addressed. Vulnerability Details...

Security Bulletin: There is a vulnerability in kafka-clients-3.8.0.jar used by IBM Maximo Asset Management application (CVE-2025-27817,CVE-2025-27818)

Summary There is a vulnerability in kafka-clients-3.8.0.jar used by IBM Maximo Asset Management application CVE-2025-27817,CVE-2025-27818 Vulnerability Details CVEID:CVE-2025-27817 DESCRIPTION: A possible arbitrary file read and SSRF vulnerability has been identified in Apache Kafka Client. Apach...