Security Bulletin: There is a vulnerability in urllib3-2.4.0-py3-none-any.whl used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2025-50181,CVE-2025-50182)

Summary There is a vulnerability in urllib3-2.4.0-py3-none-any.whl used by IBM Maximo Manage application in IBM Maximo Application Suite. Vulnerability Details CVEID:CVE-2025-50181 DESCRIPTION: urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable...

Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with Asset and Service Management ( CVE-2025-33142)

Summary IBM WebSphere Application Server is shipped as a component of Maximo Asset Management, Maximo Industry Solutions including Maximo for Nuclear Power, Maximo for Transportation, Maximo for Life Sciences, Maximo for Oil and Gas, and Maximo for Utilities, Maximo Adapter for Primavera,...

Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2025-36097)

Summary IBM WebSphere Application Server is shipped as a component of Maximo Asset Management, Maximo Industry Solutions including Maximo for Nuclear Power, Maximo for Transportation, Maximo for Life Sciences, Maximo for Oil and Gas, and Maximo for Utilities, Maximo Adapter for Primavera,...

Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2025-48976)

Summary IBM WebSphere Application Server is shipped as a component of Maximo Asset Management, Maximo Industry Solutions including Maximo for Nuclear Power, Maximo for Transportation, Maximo for Life Sciences, Maximo for Oil and Gas, and Maximo for Utilities, Maximo Adapter for Primavera,...

Security Bulletin: There is a vulnerability in dojo-1.17.3.js used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2021-23450, CVE-2008-6681, CVE-2010-2273)

Summary There is a vulnerability in dojo-1.17.3.js used by IBM Maximo Manage application in IBM Maximo Application Suite. Vulnerability Details CVEID:CVE-2021-23450 DESCRIPTION: All versions of package dojo are vulnerable to Prototype Pollution via the setObject function. CWE:CWE-1321: Improperly...

Security Bulletin: Common vulnerabilities discovered in Spark2 executables released with Cloudera Observability on Premises with IBM Version 3.5.3

Summary Cloudera Observability on premises with IBM 3.5.3 ships with Spark 2 executables, however, the application runs on Spark 3. This security bulletin identifies a set of common vulnerabilities found in the Spark 2 libraries. Spark 2 has reached End of Support EOS. Clients are advised to use...

Security Bulletin: Fixes to common vulnerabilities discovered in Cloudera Data Platform 7.1.7 SP2

Summary Fixes to common vulnerabilities discovered in Cloudera Data Platform 7.1.7 SP2 are available to download from Cloudera and IBM. Vulnerability Details CVEID:CVE-2017-7657 DESCRIPTION: Eclipse Jetty is vulnerable to HTTP request smuggling, caused by improper handling of Chunked...

Security Bulletin: Common vulnerabilities fixed in Cloudera Data Platform Private Cloud Base 7.1.9 SP1

Summary Common vulnerabilities fixed in Cloudera Data Platform Private Cloud Base 7.1.9 SP1 Vulnerability Details CVEID:CVE-2022-24785 DESCRIPTION: Moment.js could allow a remote attacker to traverse directories on the system, caused by improper validation of user supplied input. An attacker coul...

Security Bulletin: Common vulnerabilities discovered in Spark2 executables released with Cloudera Observability on Premises with IBM Version 3.5.3

Summary Cloudera Observability on premises with IBM 3.5.3 ships with Spark 2 executables, however, the application runs on Spark 3. This security bulletin identifies a set of common vulnerabilities found in the Spark 2 libraries. Spark 2 has reached End of Support EOS. Clients are advised to use...

Security Bulletin: Multiple Vulnerabilities discovered in Cloudera Data Platform Private Cloud Base with IBM 7.1.7 SP2

Summary Multiple Vulnerabilities discovered in Cloudera Data Platform Private Cloud Base with IBM 7.1.7 SP2 Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions Affected Products| Versions ---|--- Cloudera Data Platform Priva...

Security Bulletin: Astronomer with IBM is vulnerable to weak encryption due to the jose package (CVE-2025-45767)

Summary Jose is used by Astronomer with IBM as part of the JSON encryption functionality. Vulnerability Details CVEID:CVE-2025-45767 DESCRIPTION: jose v6.0.10 was discovered to contain weak encryption. NOTE: this is disputed by a third party because the claim of "do not meet recommended security...

Security Bulletin: DataStage on Cloud Pak for Data is vulnerable to improper access control due to the linux-pam package (CVE-2025-6020)

Summary Linux-pam is used by DataStage on Cloud Pak for Data as part of the authentication functionality. Vulnerability Details CVEID:CVE-2025-6020 DESCRIPTION: A flaw was found in linux-pam. The module pamnamespace may use access user-controlled paths without proper protection, allowing local...

Security Bulletin: Astronomer with IBM is vulnerable to request smuggling due to the Ruby WEBrick package (CVE-2025-6442)

Summary WEBrick is used by Astronomer with IBM as part of the application processing functionality. Vulnerability Details CVEID:CVE-2025-6442 DESCRIPTION: Ruby WEBrick readheader HTTP Request Smuggling Vulnerability. This vulnerability allows remote attackers to smuggle arbitrary HTTP requests on...

Security Bulletin: Astronomer with IBM is vulnerable to unintentional traffic forwarding due to kube-proxy (CVE-2021-25736)

Summary Kube-proxy is used by Astronomer with IBM as part of Kubernetes functionality. Vulnerability Details CVEID:CVE-2021-25736 DESCRIPTION: Kube-proxy on Windows can unintentionally forward traffic to local processes listening on the same port “spec.ports.port” as a LoadBalancer Service when t...

Security Bulletin: DataStage on Cloud Pak for Data is vulnerable to untrusted library loading due to the GNU C library (CVE-2025-4802)

Summary The GNU C library is used by DataStage on Cloud Pak for Data as part of general processing. Vulnerability Details CVEID:CVE-2025-4802 DESCRIPTION: Untrusted LDLIBRARYPATH environment variable vulnerability in the GNU C Library version 2.27 to 2.38 allows attacker controlled loading of...

Security Bulletin: DataStage on Cloud Pak for Data is vulnerable to extraction filter issues due to the python package (CVE-2025-4330, CVE-2025-4435)

Summary Python is used by DataStage on Cloud Pak for Data as part of general processing functionality. Vulnerability Details CVEID:CVE-2025-4330 DESCRIPTION: Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of so...

Security Bulletin: DataStage on Cloud Pak for Data is vulnerable to allocation of resource abuse due to the commons-fileupload package (CVE-2025-48976)

Summary Commons-fileupload is used by DataStage on Cloud Pak for Data as part of the file handling functionality. Vulnerability Details CVEID:CVE-2025-48976 DESCRIPTION: Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload...

Security Bulletin: Astronomer with IBM is vulnerable to several vulnerabilities

Summary Open source software is used by Astronomer with IBM as part of overall processing functionality. Vulnerability Details CVEID:CVE-2005-2541 DESCRIPTION: Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gai...

Security Bulletin: IBM MQ is vulnerable to a password disclosure vulnerability.

Summary IBM MQ has addressed a password disclosure vulnerability CVE-2025-36100 Vulnerability Details CVEID:CVE-2025-36100 DESCRIPTION: IBM MQ Java and JMS stores a password in client configuration files when trace is enabled which can be read by a local user. CWE:CWE-260: Password in Configurati...

Security Bulletin: IBM MQ is affected by multiple vulnerabilities in the IBM Runtime Environment, Java Technology Edition (CVE-2025-50106, CVE-2025-30749, CVE-2025-30761, CVE-2025-30754)

Summary Multiple issues were identified with IBM Runtime Environment, Java Technology Edition which is shipped with IBM MQ Vulnerability Details CVEID:CVE-2025-50106 DESCRIPTION: Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java ...

Security Bulletin: The B2B API of IBM Stering B2B Integrator and IBM Sterling File Gateway are Vulnerable to Cross-Site Scripting (CVE-2025-2694)

Summary IBM Stering B2B Integrator and IBM Sterling File Gateway have addressed the cross-site scripting vulnerability Vulnerability Details CVEID:CVE-2025-2694 DESCRIPTION: IBM Sterling B2B Integrator CWE:CWE-79: Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting'...

Security Bulletin: IBM Stering B2B Integrator and IBM Sterling File Gateway are Vulnerable to Information Disclosure (CVE-2025-2667)

Summary IBM Stering B2B Integrator and IBM Sterling File Gateway have addressed the information disclosure vulnerability Vulnerability Details CVEID:CVE-2025-2667 DESCRIPTION: IBM Sterling B2B Integrator Standard Edition could disclose sensitive system information about the server to a privileged...

Security Bulletin: IBM Stering B2B Integrator and IBM Sterling File Gateway are Vulnerable to Denial of Service Due to IBM WebSphere Application Server Liberty (CVE-2024-47535)

Summary IBM Stering B2B Integrator and IBM Sterling File Gateway have addressed the denial of service vulnerability Vulnerability Details CVEID:CVE-2024-47535 DESCRIPTION: Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance...

Security Bulletin: The IBM® Engineering Lifecycle Management - Jazz Foundation is impacted by Path Relative Stylesheet Import vulnerability.

Summary A vulnerability has been identified in IBM Engineering Lifecycle Management - Jazz Foundation, due to a Path-Relative Stylesheet Import PRSSI. This bulletin contains information regarding vulnerabilities and remediation actions. Vulnerability Details CVEID:CVE-2024-43184 DESCRIPTION: IBM...

Security Bulletin: The IBM Engineering Test Management product using WebSphere Application Server traditional is affected by a denial of service due to Apache Commons FileUpload (CVE-2025-48976)

Summary There is a vulnerability in Apache Commons FileUpload which affects IBM WebSphere Application Server traditional and affects IBM WebSphere Application Server Liberty with the servlet-3.0, servlet-3.1, servlet-4.0, servlet-5.0 or servlet-6.0 feature enabled. It has been addressed in this...

Security Bulletin: The IBM Engineering Test Management product using WebSphere Application Server is affected by a denial of service with glassfish jsonp (CVE-2025-36097)

Summary IBM WebSphere Application Server and WebSphere Application Server Liberty are affected by a denial of service. This affects WebSphere Liberty with the jsonp-1.0, jsonp-1.1, or jsonp-2.0 features enabled. It has been addressed in this bulletin. Vulnerability Details Refer to the security...

Security Bulletin: The IBM Engineering Test Management product using WebSphere Application Server traditional could allow a remote attacker to bypass security restrictions (CVE-2024-56339)

Summary IBM WebSphere Application Server and Webphere Application Server Liberty are affected by a security bypass caused by a failure to honor security configuration. It has been addressed in this bulletin. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes...

Security Bulletin: The IBM® Engineering Lifecycle Management products using IBM® SDK, Java™ Technology Edition affected by multiple vulnerabilities (CVE-2025-50106, CVE-2025-30749, CVE-2025-30761, CVE-2025-30754)

Summary This bulletin for IBM SDK, Java Technology Edition covers all applicable Java SE CVEs published by Oracle as part of their July 2025 Critical Patch Update. For more information please refer to Oracle's July 2025 CPU Advisory and the CVE links referenced below. Following IBM® Engineering...

Security Bulletin: The IBM® Engineering Lifecycle Management products using WebSphere Application Server Liberty is affected by a security bypass in JMS messaging (CVE-2025-36124)

Summary IBM WebSphere Application Server Liberty is affected by a security bypass vulnerability in JMS messaging with the wasJmsServer-1.0, wasJmsSecurity-1.0, wasJmsClient-2.0, messagingServer-3.0, messagingSecurity-3.0, or messagingClient-3.0 feature enabled. Following IBM® Engineering Lifecycl...

Security Bulletin: The IBM® Engineering Lifecycle Management products using WebSphere Application Server Liberty is affected by a denial of service with HTTP/2 (CVE-2025-36047)

Summary IBM WebSphere Application Server Liberty is affected by a denial of service with the servlet-3.1, servlet-4.0, servlet-5.0, or servlet-6.0 feature with the HTTP/2 protocol enabled. Following IBM® Engineering Lifecycle Management products are vulnerable to this attack, it has been addresse...

Security Bulletin: The IBM® Engineering Lifecycle Management products using WebSphere Application Server Liberty is affected by a denial of service due to Apache Commons FileUpload (CVE-2025-48976)

Summary There is a vulnerability in Apache Commons FileUpload which affects IBM WebSphere Application Server traditional and affects IBM WebSphere Application Server Liberty with the servlet-3.0, servlet-3.1, servlet-4.0, servlet-5.0 or servlet-6.0 feature enabled. Following IBM® Engineering...

Security Bulletin: The IBM® Engineering Lifecycle Management products using WebSphere Application Server Liberty is affected by a denial of service (CVE-2025-36000)

Summary IBM WebSphere Application Server Liberty is affected by a stored cross-site scripting vulnerability with the adminCenter-1.0 feature enabled. Following IBM® Engineering Lifecycle Management products are vulnerable to this attack, it has been addressed in this bulletin: Jazz Foundation,...

Security Bulletin: The IBM® Engineering Lifecycle Management products using WebSphere Application Server Liberty could allow a remote attacker to bypass security restrictions (CVE-2024-56339)

Summary IBM WebSphere Application Server and Webphere Application Server Liberty are affected by a security bypass caused by a failure to honor security configuration. IBM® Engineering Lifecycle Management products are vulnerable to this attack, it has been addressed in this bulletin: Jazz...

Security Bulletin: IBM Stering B2B Integrator and IBM Sterling File Gateway are Vulnerable to Denial of Service Due to Netty (CVE-2024-47535)

Summary IBM Stering B2B Integrator and IBM Sterling File Gateway have addressed the denial of service vulnerability Vulnerability Details CVEID:CVE-2024-47535 DESCRIPTION: Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance...

Security Bulletin: IBM WebSphere Application Server Liberty, which is bundled with IBM Cloud Pak for Applications, is affected by a denial of service due to Apache Commons FileUpload (CVE-2025-48976)

Summary IBM WebSphere Application Server Liberty, which is bundled with IBM Cloud Pak for Applications, is affected by a denial of service due to Apache Commons FileUpload with the servlet-3.0, servlet-3.1, servlet-4.0, servlet-5.0 or servlet-6.0 feature enabled. Vulnerability Details Refer to th...

Security Bulletin: IBM WebSphere Application Server Liberty, which is bundled with IBM Enterprise Application Runtimes, is affected by a denial of service due to Apache Commons FileUpload (CVE-2025-48976)

Summary IBM WebSphere Application Server Liberty, which is bundled with IBM Enterprise Application Runtimes, is affected by a denial of service due to Apache Commons FileUpload with the servlet-3.0, servlet-3.1, servlet-4.0, servlet-5.0 or servlet-6.0 feature enabled. Vulnerability Details Refer ...

Security Bulletin: IBM WebSphere Application Server Liberty, which is bundled with IBM WebSphere Hybrid Edition, is affected by a denial of service due to Apache Commons FileUpload (CVE-2025-48976)

Summary IBM WebSphere Application Server Liberty, which is bundled with IBM WebSphere Hybrid Edition, is affected by a denial of service due to Apache Commons FileUpload with the servlet-3.0, servlet-3.1, servlet-4.0, servlet-5.0 or servlet-6.0 feature enabled. Vulnerability Details Refer to the...

Security Bulletin: IBM WebSphere Application Server, which is bundled with IBM Cloud Pak for Applications, is affected by a denial of service due to Apache Commons FileUpload (CVE-2025-48976)

Summary IBM WebSphere Application Server, which is bundled with IBM Cloud Pak for Applications, is affected by a denial of service due to Apache Commons FileUpload. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions Affecte...

Security Bulletin: IBM WebSphere Application Server, which is bundled with IBM Enterprise Application Runtimes, is affected by a denial of service due to Apache Commons FileUpload (CVE-2025-48976)

Summary IBM WebSphere Application Server, which is bundled with IBM Enterprise Application Runtimes, is affected by a denial of service due to Apache Commons FileUpload. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions...

Security Bulletin: IBM WebSphere Application Server, which is bundled with IBM WebSphere Hybrid Edition, is affected by a denial of service due to Apache Commons FileUpload (CVE-2025-48976)

Summary IBM WebSphere Application Server, which is bundled with IBM WebSphere Hybrid Edition, is affected by a denial of service due to Apache Commons FileUpload. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions Affected...

Security Bulletin: IBM Transformation Advisor is affected by a vulnerability found in a container (CVE-2025-36193)

Summary IBM Transformation Advisor is vulnerable to a privilege escalation vulnerability inside a container running the IBM Transformation Advisor Operator Catalog image. Vulnerability Details CVEID:CVE-2025-36193 DESCRIPTION: IBM Transformation Advisor incorrectly assigns privileges to security...

Security Bulletin: A vulnerability in form-data may affect IBM Decision Optimization for IBM Cloud Pak for Data (CVE-2025-7783)

Summary There is a vulnerability in form-data used by IBM Decision Optimization for IBM Cloud Pak for Data. IBM Decision Optimization for IBM Cloud Pak for Data has addressed the applicable CVE. Vulnerability Details CVEID:CVE-2025-7783 DESCRIPTION: Use of Insufficiently Random Values vulnerabili...

Security Bulletin: Multiple vulnerabilities in pbkdf2 affect IBM Decision Optimization for IBM Cloud Pak for Data (CVE-2025-6545 and CVE-2025-6547)

Summary There are multiple vulnerabilities in pbkdf2 used by IBM Decision Optimization for IBM Cloud Pak for Data. IBM Decision Optimization for IBM Cloud Pak for Data has addressed the applicable CVEs. Vulnerability Details CVEID:CVE-2025-6547 DESCRIPTION: Improper Input Validation vulnerability...

Security Bulletin: Multiple vulnerabilities in libxml2 affect IBM Decision Optimization for IBM Cloud Pak for Data (CVE-2025-49795, CVE-2025-49794 and CVE-2025-49796)

Summary There are multiple vulnerabilities in libxml2 used by IBM Decision Optimization for IBM Cloud Pak for Data. IBM Decision Optimization for IBM Cloud Pak for Data has addressed the applicable CVEs. Vulnerability Details CVEID:CVE-2025-49795 DESCRIPTION: A NULL pointer dereference...

Security Bulletin: Vulerability jetty-server affects IBM Integrated Analytics System

Summary The jetty-server component is used by IBM Integrated Analytics System for handling HTTP requests. A vulnerability was identified in the ThreadLimitHandler.getRemote method, where crafted requests can cause memory exhaustion and OutOfMemory errors. As this condition is unhandled, it may le...

Security Bulletin: Multiple vulnerabilities in IBM WebSphere Liberty impact IBM License Key Server Administration and Reporting Tool and IBM LKS Administration Agent.

Summary Multiple vulnerabilities in IBM WebSphere Liberty impact IBM License Key Server Administration and Reporting Tool and IBM LKS Administration Agent. Vulnerability Details CVEID:CVE-2025-36047 DESCRIPTION: IBM WebSphere Application Server Liberty 18.0.0.2 through 25.0.0.8 is vulnerable to a...

Security Bulletin: Vulnerabilities in dependencies affect IBM Common Licensing

Summary Security Vulnerabilities in dependencies affect IBM Common Licensing. These vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2024-38820 DESCRIPTION: The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase ha...

Security Bulletin: IBM Common Licensing using IBM® SDK, Java™ Technology Edition vulnerable to CVEs

Summary Multiple vulnerabilities affect IBM® SDK, Java™ Technology Edition in IBM License Key Server Administration and Reporting Tool ART and Administration Agent. This bulletin for IBM SDK, Java Technology Edition covers all applicable Java SE CVEs published by Oracle as part of their July 2025...

Security Bulletin: IBM DevOps Deploy / IBM UrbanCode Deploy (UCD) is susceptible to an Exposure of Sensitive System Information Vulnerability (CVE-2025-36162)

Summary IBM DevOps Deploy / IBM UrbanCode Deploy UCD integration point may expose certain sensitive information to an authenticated user. Vulnerability Details CVEID:CVE-2025-36162 DESCRIPTION: IBM DevOps Deploy / IBM UrbanCode Deploy UCD 8.1.x before 8.1.2.2 could allow an authenticated user to...

Security Bulletin: IBM DevOps Deploy / IBM UrbanCode Deploy (UCD) is affected by a Memory Allocation with Excessive Size Value Vulnerability in Apache ActiveMQ (CVE-2025-27533)

Summary Apache ActiveMQ is used by IBM DevOps Deploy / IBM UrbanCode Deploy UCD as part of its legacy communication protocol and is affected by a Memory Allocation with Excessive Size Value Vulnerability. CVE-2025-27533. Vulnerability Details CVEID:CVE-2025-27533 DESCRIPTION: Memory Allocation wi...