35608 matches found
Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to slow parsing in golang.org/x/net/proxy [CVE-2024-45338]
Summary IBM Watson Speech Services Cartridge is vulnerable to slow parsing in golang.org/x/net/proxy, due to non-linearly parsing of input with respect to its length CVE-2024-45338 . Golang is used in our speech utilities. This vulnerabilitiy has been addressed. Please read the details for...
Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a misinterpretation of Input in golang.org/x/net/proxy [CVE-2025-22870]
Summary IBM Watson Speech Services Cartridge is vulnerable to a misinterpretation of Input in golang.org/x/net/proxy, due to matching of hosts against proxy patterns which can improperly treat an IPv6 zone ID as a hostname component CVE-2025-22870. Golang is used in our speech utilities. This...
Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to Insufficiently Protected Credentials in Requests [CVE-2024-47081]
Summary IBM Watson Speech Services Cartridge is vulnerable to Insufficiently Protected Credentials in Requests, due to a URL parsing issue CVE-2024-47081. Requests is used in our speech runtimes This vulnerabilitiy has been addressed. Please read the details for remediation below. Vulnerability...
Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a Node DOS vulnerability in Kubernetes [CVE-2025-0426]
Summary IBM Watson Speech Services Cartridge is vulnerable to a Node DOS vulnerability in Kubernetes, due to a flaw in the kubelet read-only HTTP endpoint CVE-2025-0426. Kubernetes is used in our speech-utilities. This vulnerabilitiy has been addressed. Please read the details for remediation...
Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a path traversal vulnerability in protobuf [CVE-2025-47273]
Summary IBM Watson Speech Services Cartridge is vulnerable to a path traversal vulnerability in Chuck-protobuf, due to a flaw in setuptoolsPackageIndex CVE-2025-47273. Protobuf is used in our speech service runtimes. This vulnerabilitiy has been addressed. Please read the details for remediation...
Security Bulletin: IBM Cognos Dashboards on Cloud Pak for Data has addressed security vulnerabilities.
Summary There are vulnerabilities in Open-Source Software OSS components consumed by IBM Cognos Dashboards on Cloud Pak for Data. Vulnerability Details CVEID:CVE-2023-45857 DESCRIPTION: An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by...
Security Bulletin: Multiple vulnerabilities affect IBM® Semeru Runtime (CVE-2025-53057, CVE-2025-53066)
Summary This bulletin for IBM Semeru Runtime covers all applicable Java SE CVEs published by OpenJDK as part of their October 2025 Vulnerability Advisory. For more information please refer to OpenJDK's October 2025 Vulnerability Advisory and the CVE links below. Vulnerability Details...
Security Bulletin: Multiple vulnerabilities affect IBM® SDK, Java™ Technology Edition (CVE-2025-53066, CVE-2025-53057)
Summary This bulletin for IBM SDK, Java Technology Edition covers all applicable Java SE CVEs published by Oracle as part of their October 2025 Critical Patch Update. For more information please refer to Oracle's October 2025 CPU Advisory and the CVE links referenced below. Vulnerability Details...
Security Bulletin: IBM Jazz for Service Management is vulnerable to "filter" cookie not sent over SSL
Summary IBM Jazz for Service Management is vulnerable to "filter" cookie not sent over SSL CVE-2025-36249. Vulnerability Details CVEID:CVE-2025-36249 DESCRIPTION: IBM Jazz for Service Management does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to...
Security Bulletin: IBM App Connect Enterprise Certified Container UBI updates
Summary IBM App Connect Enterprise Certified Container ACEcc is built on the Red Hat Universal Base Images. ACEcc operator versions 12.0.17 LTS and 12.17.0 contain fixes to the listed CVEs found in the base images. This bulletin provides patch information to address the reported vulnerabilities...
Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring, IntegrationRuntime and IntegrationServer operands are vulnerable to improper access control [CVE-2025-48734]
Summary Apache Commons Beanutils is used by IBM App Connect Enterprise Certified Container when using MQ FTE. IBM App Connect Enterprise Certified Container DesignerAuthoring, IntegrationRuntime and IntegrationServer operands that run flows that use MQ FTE are vulnerable to improper access contro...
Security Bulletin: IBM App Connect Enterprise Certified Container operands are vulnerable to loss of confidentiality [CVE-2025-59343]
Summary Node.js module tar-fs is used by IBM App Connect Enterprise Certified Container for processing tar files and streams. IBM App Connect Enterprise Certified Container operands are vulnerable to loss of confidentiality. This bulletin provides patch information to address the reported...
Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring, IntegrationRuntime and IntegrationServer operands that use email nodes are vulnerable to loss of confidentiality [GHSA-mm7p-fcc7-pg87]
Summary Node.js module nodemailer is used by IBM App Connect Enterprise Certified Container for processing email in Designer flows that contain an email Node. IBM App Connect Enterprise Certified Container DesignerAuthoring, IntegrationRuntime and IntegrationServer operands that run flows...
Security Bulletin: Multiple security vulnerabilities are addressed with IBM Process Mining Interim Fix for Oct 2025
Summary In addition to many updates of operating system level packages, the following security vulnerabilities are addressed with IBM Process Mining 2.0.3 IF001 Vulnerability Details CVEID:CVE-2025-58457 DESCRIPTION: Improper permission check in ZooKeeper AdminServer lets authorized clients to ru...
Security Bulletin: IBM App Connect Enterprise Certified Container operands are vulnerable to denial of service [CVE-2025-58754]
Summary Node.js module axios is used by IBM App Connect Enterprise Certified Container for some HTTP calls. IBM App Connect Enterprise Certified Container operands are vulnerable to denial of service. This bulletin provides patch information to address the reported vulnerability in Node.js module...
Security Bulletin: IBM InfoSphere Information Server is vulnerable to privilege escalation (CVE-2025-33003)
Summary A privilege escalation vulnerability in InfoSphere Information Server was addressed. Vulnerability Details CVEID:CVE-2025-33003 DESCRIPTION: IBM InfoSphere Information Server could allow a non-root user to gain higher privileges/capabilities within the scope of a container due to executio...
Security Bulletin: Multiple vulnerabilities in IBM DevOps Solution Workbench
Summary Multiple vulnerabilities were addressed in IBM DevOps Solution Workbench version 5.1. Vulnerability Details CVEID:CVE-2025-46701 DESCRIPTION: Improper Handling of Case Sensitivity vulnerability in Apache Tomcat's GCI servlet allows security constraint bypass of security constraints that...
Security Bulletin: IBM Aspera High-Speed Transfer Server and IBM Aspera High-Speed Transfer Endpoint are vulnerable to an interger overflow attack
Summary A vulnerability has been identified in Redis' in-memory data structure store that could lead to remote code execution. This vulnerability has been addressed in IBM Aspera High-Speed Transfer Server v4.4.7 and IBM Aspera High-Speed Transfer Endpoint v4.4.7 and part of the same remediation...
Security Bulletin: IBM Tivoli Monitoring is vulnerable to unauthenticated file read and write operations
Summary The KT1 component of ITM/ITCAM Agents, hereafter referred to as simply Agents, provides the ability to read from and write to the local file system. This facility is utilised by features such as SDA, Self-Describing Agent, which ensures that updates to a product's application support file...
Security Bulletin: IBM Financial Transaction Manager is impacted by an out-of-bounds read vulnerability in RedHat Proxy for Kubernetes RBAC authorization
Summary IBM Financial Transaction Manager for RedHat OpenShift has addressed the following vulnerability. Vulnerability Details CVEID:CVE-2025-5318 DESCRIPTION: A flaw was found in the libssh library in versions less than 0.11.2. An out-of-bounds read can be triggered in the sftphandle function d...
Security Bulletin: Multiple vulnerabilities in IBM Aspera Orchestrator
Summary Multiple vulnerabilities were addressed in IBM Aspera Orchestrator 4.1.0 Vulnerability Details CVEID:CVE-2025-58767 DESCRIPTION: REXML is an XML toolkit for Ruby. The REXML gems from 3.3.3 to 3.4.1 has a DoS vulnerability when parsing XML containing multiple XML declarations. If you need ...
Security Bulletin: Multiple Vulnerabilities in IBM CloudPak for AIOps
Summary Multiple vulnerabilities were addressed in IBM Cloud Pak for AIOps version 4.11.1 Vulnerability Details CVEID:CVE-2025-8129 DESCRIPTION: A vulnerability, which was classified as problematic, was found in KoaJS Koa up to 3.0.0. Affected is the function back in the library lib/response.js o...
Security Bulletin: IBM Sterling Connect:Direct for UNIX is vulnerable to Execution with Unnecessary Privileges, CVE-2025-36137.
Summary IBM Sterling Control Center can apply maintenance to and upgrade IBM Sterling Connect:Direct for UNIX. The Control Center administrator has the option of running pre and post update scripts. Those scripts are run as root; they should be run as the standard user account under which...
Security Bulletin: IBM DataPower Gateway vulnerable to data corruption due to LZ4 (CVE-2019-17543)
Summary LZ4 is used in multiple components of IBM DataPower Gateway Vulnerability Details CVEID:CVE-2019-17543 DESCRIPTION: LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4write32 related to LZ4compressdestSize, affecting applications that call LZ4compressfast with a large input. This iss...
Security Bulletin: IBM DataPower vulnerable to a Denial of Service due to Axios (CVE-2025-58754)
Summary Axios is used in the UI of IBM DataPower and in the gateway director component. Vulnerability Details CVEID:CVE-2025-58754 DESCRIPTION: Axios is a promise based HTTP client for the browser and Node.js. When Axios prior to versions 0.30.2 and 1.12.0 runs on Node.js and is given a URL with...
Security Bulletin: Multiple Vulnerabilities in IBM Application Performance Management Core Framework.
Summary Multiple vulnerabilities were addressed in IBM Application Performance Management 8.1.4.0 Core Framework IF29 patch. Vulnerability Details CVEID:CVE-2025-1470 DESCRIPTION: In Eclipse OMR, from the initial contribution to version 0.4.0, some OMR internal port library and utilities consumer...
Security Bulletin: IBM QRadar Hub for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities
Summary The product includes vulnerable components e.g., framework libraries that may be identified and exploited with automated tools. IBM QRadar Hub for IBM QRadar SIEM has addressed the applicable CVEs. Vulnerability Details CVEID:CVE-2025-58754 DESCRIPTION: Axios is a promise based HTTP clien...
Security Bulletin: IBM Maximo Application Suite - Manage Component uses requests-2.32.3-py3-none-any.whl which is vulnerable to CVE-2024-47081
Summary IBM Maximo Application Suite - Manage Component uses requests-2.32.3-py3-none-any.whl which is vulnerable to CVE-2024-47081.This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2024-47081 DESCRIPTION: Requests is a HTTP library. D...
Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in nimbus-jose-jwt
Summary Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in nimbus-jose-jwt Vulnerability Details CVEID:CVE-2025-53864 DESCRIPTION: Connect2id Nimbus JOSE + JWT 10.0.x before 10.0.2 and 9.37.x before 9.37.4 allows a remote attacker to cause a denial of servic...
Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in flask-3.1.0-py3-none-any.whl
Summary Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in flask-3.1.0-py3-none-any.whl Vulnerability Details CVEID:CVE-2025-48924 DESCRIPTION: Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with...
Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in multer
Summary Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in multer Vulnerability Details CVEID:CVE-2025-7338 DESCRIPTION: Multer is a node.js middleware for handling multipart/form-data. A vulnerability that is present starting in version 1.4.4-lts.1 and prio...
Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in net/http
Summary Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in net/http Vulnerability Details CVEID:CVE-2025-4673 DESCRIPTION: Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information. CVSS...
Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in setuptools
Summary Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in setuptools Vulnerability Details CVEID:CVE-2024-6345 DESCRIPTION: A vulnerability in the packageindex module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download...
Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by torch
Summary Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by torch Vulnerability Details CVEID:CVE-2025-2953 DESCRIPTION: A vulnerability, which was classified as problematic, has been found in PyTorch 2.6.0+cu124. Affected by this issue is the function torch.mkldnnmaxpool2d...
Security Bulletin: IBM Engineering Lifecycle Management - Jazz Foundation is impacted by stored Cross-Site Scripting
Summary A vulnerability has been addressed by IBM Engineering Lifecycle Management - Jazz Foundation, related to stored Cross-Site Scripting. This bulletin contains information regarding vulnerabilities and remediation actions. Vulnerability Details CVEID:CVE-2025-1826 DESCRIPTION: IBM Engineerin...
Security Bulletin: IBM Engineering Requirements Management DOORS Next is vulnerable to Broken Access Control for reviews (CVE-2025-2139) and comments (CVE-2025-2138), email spoofing (CVE-2025-2140) and DoS attacks (CVE-2025-33096)
Summary IBM Engineering Requirements Management DOORS Next is vulnerable to Broken Access Control for reviews CVE-2025-2139 and comments CVE-2025-2138, Unrestricted Email Recipients and Sender Spoofing CVE-2025-2140 and Artifact Upload Quote Parsing Allows DoS Attacks CVE-2025-33096. Vulnerabilit...
Security Bulletin: DataStage on Cloud Pak for Data is vulnerable to a deny of service attack due to the Netty package (CVE-2025-55163)
Summary Netty is used by DataStage on Cloud Pak for Data as part of the API processing functionality. Vulnerability Details CVEID:CVE-2025-55163 DESCRIPTION: Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable ...
Security Bulletin: DataStage on Cloud Pak for Data is vulnerable to several issues due to the Java package (CVE-2025-30749, CVE-2025-30754, CVE-2025-50059, CVE-2025-50106)
Summary Java is used by DataStage on Cloud Pak for Data as part of overall processing functionality. Vulnerability Details CVEID:CVE-2025-30749 DESCRIPTION: Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: 2D...
Security Bulletin: DataStage on Cloud Pak for Data is vulnerable to uncontrolled recursion due to the Apache Commons Lang package (CVE-2025-48924)
Summary Apache Commons Lang is used by DataStage on Cloud Pak for Data as part of API processing functionality. Vulnerability Details CVEID:CVE-2025-48924 DESCRIPTION: Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with...
Security Bulletin: CVE-2023-39417: Extension script @substitutions@ within quoting allow SQL injection
Summary An extension script is vulnerable if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct dollar quoting, '', or "". No bundled extension is vulnerable. Vulnerable uses do appear in a documentation example and in non-bundled extensions. Hence, the attack...
Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in protobuf
Summary Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in protobuf Vulnerability Details CVEID:CVE-2025-4565 DESCRIPTION: Any project that uses Protobuf Pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of recursive...
Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in protobuf
Summary Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in protobuf Vulnerability Details CVEID:CVE-2025-4565 DESCRIPTION: Any project that uses Protobuf Pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of recursive...
Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in multer
Summary Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in multer Vulnerability Details CVEID:CVE-2025-48997 DESCRIPTION: Multer is a node.js middleware for handling multipart/form-data. A vulnerability that is present starting in version 1.4.4-lts.1 and pri...
Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in torch
Summary Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in torch Vulnerability Details CVEID:CVE-2025-3730 DESCRIPTION: A vulnerability, which was classified as problematic, was found in PyTorch 2.6.0. Affected is the function torch.nn.functional.ctcloss of...
Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in multer
Summary Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in multer Vulnerability Details CVEID:CVE-2025-47944 DESCRIPTION: Multer is a node.js middleware for handling multipart/form-data. A vulnerability that is present starting in version 1.4.4-lts.1 and pri...
Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in multer
Summary Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in multer Vulnerability Details CVEID:CVE-2025-47935 DESCRIPTION: Multer is a node.js middleware for handling multipart/form-data. Versions prior to 2.0.0 are vulnerable to a resource exhaustion and...
Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in python3-pip-wheel python3.11-pip python3.11-pip-wheel requests
Summary Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in python3-pip-wheel python3.11-pip python3.11-pip-wheel requests Vulnerability Details CVEID:CVE-2024-47081 DESCRIPTION: Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior ...
Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in python3-pip-wheel requests
Summary Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in python3-pip-wheel requests Vulnerability Details CVEID:CVE-2024-47081 DESCRIPTION: Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credential...
Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in python3-pip-wheel requests
Summary Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in python3-pip-wheel requests Vulnerability Details CVEID:CVE-2024-47081 DESCRIPTION: Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credential...
Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in python3-pip-wheel python3.12-pip python3.12-pip-wheel requests
Summary Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in python3-pip-wheel python3.12-pip python3.12-pip-wheel requests Vulnerability Details CVEID:CVE-2024-47081 DESCRIPTION: Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior ...