Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a request smuggling vulnerability in net/http [CVE-2025-22871]

Summary IBM Watson Speech Services Cartridge is vulnerable to a request smuggling vulnerability in net/http, caused by a condition where the package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines CVE-2025-22871. Net/http is used as part of our speech utilities...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a path traversal vulnerability in rsync [ CVE-2024-12087]

Summary IBM Watson Speech Services Cartridge is vulnerable to a path traversal vulnerability in rsync, caused by a behavior enabled by the --inc-recursive option, a default-enabled option for many client options, that can be enabled by the server even if not explicitly enabled by the client...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a sensitive information exposure in rsync [CVE-2024-12747]

Summary IBM Watson Speech Services Cartridge is vulnerable to a sensitive information exposure in rsync, due to a race condition during rsync's handling of symbolic links CVE-2024-12747. Rsync is used as part of our Java Microservices. This vulnerabilitiy has been addressed. Please read the detai...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a path traversal vulnerability in rsync [CVE-2024-12088]

Summary IBM Watson Speech Services Cartridge is vulnerable to a path traversal vulnerability in rsync, due to an issue when using the --safe-links option, where the client fails to properly verify if a symbolic link destination sent from the server contains another symbolic link within it...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to an Improper Handling of Case Sensitivity in Apache Tomcat [CVE-2025-46701]

Summary IBM Watson Speech Services Cartridge is vulnerable to an Improper Handling of Case Sensitivity in Apache Tomcat, due to an issue where GCI servlet allows a security constraint bypass of security constraints that apply to the pathInfo component of a URI mapped to the CGI servlet...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to an Improper Input Validation in Apache Tomcat [CVE-2025-31650]

Summary IBM Watson Speech Services Cartridge is vulnerable to an Improper Input Validation in Apache Tomcat, caused by incorrect error handling for some invalid HTTP priority headers, resulting in incomplete clean-up of the failed request, which creates a memory leak CVE-2025-31650 Apache Tomcat ...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to an Improper Input Validation in Spring [CVE-2025-22235]

Summary IBM Watson Speech Services Cartridge is vulnerable to an Improper Input Validation in Spring , caused by Spring Boot EndpointRequest.to creating the wrong matcher if the actuator endpoint is not exposed CVE-2025-22235 . Spring is used as part of our Java Microservices. This vulnerabilitiy...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to an Improper Access Control vulnerability in Apache HttpClient [CVE-2025-27820]

Summary IBM Watson Speech Services Cartridge is vulnerable to an Improper Access Control vulnerability in Apache HttpClient 5.4.x , due to a bug in PSL validation logic that disables domain checks, affecting cookie management and host name verification CVE-2025-27820. Apache HttpClient is used as...

Security Bulletin: IBM Application Modernization Accelerator is affected by vulnerability found in Node.js (CVE-2025-7338)

Summary There is a vulnerability in Node.js used by IBM Application Modernization Accelerator, The issue have been addressed in an update. Vulnerability Details CVEID:CVE-2025-7338 DESCRIPTION: Multer is a node.js middleware for handling multipart/form-data. A vulnerability that is present starti...

Security Bulletin: Multiple Vulnerabilities in IBM watsonx Code Assistant IDE Extensions

Summary Multiple vulnerabilities were addressed in IBM watsonx Code Assistant IDE Extensions VS code - V1.8.2, Eclipse IDE - 1.4.1 Vulnerability Details CVEID:CVE-2025-31125 DESCRIPTION: Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using...

Security Bulletin: IBM Transformation Advisor is affected by vulnerability found in Node.js (CVE-2025-7338)

Summary There is a vulnerability in Node.js used by IBM Transformation Advisor, The issues have been addressed in an update. Vulnerability Details CVEID:CVE-2025-7338 DESCRIPTION: Multer is a node.js middleware for handling multipart/form-data. A vulnerability that is present starting in version...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to an Improper Access Control vulnerability in Apache Commons [CVE-2025-48734]

Summary Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to an Improper Access Control vulnerability in Apache Commons, where the BeanIntrospector class is not enabled by default, and could allow an attacker to access the enum's class loader via the "declaredClass" property...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a Remote Command Execution in PyTorch [CVE-2025-32434]

Summary IBM Watson Speech Services Cartridge is vulnerable to a Remote Command Execution in PyTorch, due to a condition that exists when loading a model using torch.load with weightsonly=True CVE-2025-32434. PyTorch is used in our speech service runtimes. This vulnerabilitiy has been addressed...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a Denial of Service in huggingface/transformers [CVE-2025-1194]

Summary IBM Watson Speech Services Cartridge is vulnerable to a Denial of Service in huggingface/transformers, caused by a regex exhibiting exponential complexity under certain conditions with specially crafted inputs, leading to excessive backtracking CVE-2025-1194. Huggingface/transformers is...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a machine-in-the-middle attack in OpenSSH [CVE-2025-26465]

Summary IBM Watson Speech Services Cartridge is vulnerable to a machine-in-the-middle attack in OpenSSH, due to an error in how OpenSSH mishandles error codes in specific conditions when verifying the host key CVE-2025-26465. OpenSSH is used in our speech service runtimes. This vulnerabilitiy has...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to Improper Encoding or Escaping of Output in Git [CVE-2024-52005]

Summary IBM Watson Speech Services Cartridge is vulnerable to Improper Encoding or Escaping of Output in Git, due to a failure to protect against standard error output in ANSI escape sequences CVE-2024-52005. Git is used in our speech service runtimes. This vulnerabilitiy has been addressed. Plea...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a Denial of Service in huggingface/transformers [CVE-2025-2099]

Summary IBM Watson Speech Services Cartridge is vulnerable to a Denial of Service in huggingface/transformers, due to an issue where the regular expression used to process code blocks in docstrings contains nested quantifiers, leading to exponential backtracking when processing input with a large...

Security Bulletin: Db2 Bridge Release 1.1.1

Summary This issue Affected users using Db2 Bridge 1.1.1 and new Fix pack was release to address the issue. Vulnerability Details CVEID:CVE-2025-7783 DESCRIPTION: Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution HPP. This vulnerability is associated...

Security Bulletin: IBM Guardium Data Protection is affected by an SQL Injection via username vulnerability (CVE-2024-55906).

Summary IBM Guardium Data Protection has addressed this vulnerability in an update. Vulnerability Details CVEID:CVE-2024-55906 DESCRIPTION: IBM Security Guardium is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view,...

Security Bulletin: IBM Cognos Dashboards on Cloud Pak for Data has addressed security vulnerabilities.

Summary There are vulnerabilities in IBM® Semeru Runtime and Open-Source Software OSS components consumed by IBM Cognos Dashboards on Cloud Pak for Data. Vulnerability Details CVEID:CVE-2025-25193 DESCRIPTION: Netty, an asynchronous, event-driven network application framework, has a vulnerability...

Security Bulletin: IBM App Connect Enterprise is vulnerable to multiple vulnerabilities due to Multer, form-data and on-headers (CVE-2025-7338, CVE-2025-7783 & CVE-2025-7339)

Summary IBM App Connect Enterprise Connector Discovery and OpenAPI Editor, IBM App Connect Enterprise Discovery Connectors and IBM App Connect Enterprise Runtime are vulnerable to multiple vulnerabilities due to Multer, form-data and on-headers. This bulletin addresses those vulnerabilities...

Security Bulletin: IBM WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager could provide weaker than expected security for TLS connections.

Summary A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Tivoli System Automation Application ManagerCVE-2025-33142 Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions Affecte...

Security Bulletin: IBM WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager is vulnerable to a denial of service

Summary A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Tivoli System Automation Application ManagerCVE-2025-48976 Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions Affecte...

Security Bulletin: Multiple Vulnerabilities affecting IBM Watson Studio in Cloud Pak for Data Are Addressed

Summary There are multiple vulnerabilities impacting IBM Watson Studio in Cloud Pak for Data. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2023-49080 DESCRIPTION: The Jupyter Server provides the backend i.e. the core services, APIs, an...

Security Bulletin: Vulerability commons-lang3 affects IBM Integrated Analytics System

Summary The commons-lang3 library is used by IBM Integrated Analytics System for core utility functions. A vulnerability was identified in the ClassUtils.getClass... method, where uncontrolled recursion on very long inputs can trigger a StackOverflowError. As this error is often unhandled, it may...

Security Bulletin: Vulerability commons-io affects IBM Integrated Analytics System

Summary The commons-io library is used by IBM Integrated Analytics System for input/output processing. A vulnerability was identified in the org.apache.commons.io.input.XmlStreamReader class, where processing untrusted input could result in excessive CPU usage, potentially leading to a denial of...

Security Bulletin: Multiple Vulnerabilities in IBM watsonx Code Assistant On Prem

Summary Multiple vulnerabilities were addressed in IBM watsonx Code Assistant On Prem V5.2 Vulnerability Details CVEID:CVE-2025-54121 DESCRIPTION: Starlette is a lightweight ASGI Asynchronous Server Gateway Interface framework/toolkit, designed for building async web services in Python. In versio...

Security Bulletin: Multiple Vulnerabilities in IBM watsonx Code Assistant On Prem

Summary Multiple vulnerabilities were addressed in IBM watsonx Code Assistant On Prem V5.2 Vulnerability Details CVEID:CVE-2025-54121 DESCRIPTION: Starlette is a lightweight ASGI Asynchronous Server Gateway Interface framework/toolkit, designed for building async web services in Python. In versio...

Security Bulletin: IBM Sterling Secure Proxy is vulnerable to multiple issues

Summary Multple vulnerabilities affect IBM Sterling Secure Proxy and are addressed in the latest release and iFix Vulnerability Details CVEID:CVE-2024-13009 DESCRIPTION: In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating...

Security Bulletin: IBM Sterling External Authentication Server is vulnerable to multiple issues

Summary Multple vulnerabilities affect IBM Sterling External Authentication Server and are addressed in the latest release and iFix Vulnerability Details CVEID:CVE-2025-27152 DESCRIPTION: axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs...

Security Bulletin: Vulnerability affects IBM watsonx Orchestrate with watsonx Assistant Cartridge

Summary Potential vulnerability has been identified that affects IBM watsonx Orchestrate with watsonx Assistant Cartridge - UAB Component. The vulnerability has been addressed. Refer to details for additional information. Vulnerability Details CVEID:CVE-2025-7783 DESCRIPTION: Use of Insufficientl...

Security Bulletin: Vulnerability affects IBM watsonx Orchestrate with watsonx Assistant Cartridge

Summary Potential vulnerability has been identified that affects IBM watsonx Orchestrate with watsonx Assistant Cartridge - UAB Component. The vulnerability has been addressed. Refer to details for additional information. Vulnerability Details CVEID:CVE-2025-7783 DESCRIPTION: Use of Insufficientl...

Security Bulletin: Vulnerability in Netty affects IBM watsonx Orchestrate with watsonx Assistant Cartridge

Summary Potential vulnerability in Netty has been identified that affects IBM watsonx Orchestrate with watsonx Assistant Cartridge - UAB Component. The vulnerability has been addressed. Refer to details for additional information. Vulnerability Details CVEID:CVE-2025-24970 DESCRIPTION: Netty, an...

Security Bulletin: Vulnerability in SSH authorization affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products

Summary A vulnerability in SSH authorization affects IBM Storage Virtualize products and could allow privilege escalation. CVE-2025-36120. Vulnerability Details CVEID:CVE-2025-36120 DESCRIPTION: IBM Storage Virtualize could allow an authenticated user to escalate their privileges in an SSH sessio...

Security Bulletin: IBM Security Verify Governance has multiple vulnerabilities

Summary Multiple security vulnerabilities in the dependent components have been addressed in the latest update to IBM Security Verify Governance. Vulnerability Details CVEID:CVE-2023-2953 DESCRIPTION: A vulnerability was found in openldap. This security flaw causes a null pointer dereference in...

Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in xmldom-0.9.8.tgz

Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of xmldom-0.9.8.tgz Vulnerability Details CVEID:CVE-2021-32796 DESCRIPTION: xmldom is an open source pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. xmldom versions 0.6.0 and older ...

Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in spring-context-6.2.5.jar

Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of spring-context-6.2.5.jar Vulnerability Details CVEID:CVE-2025-22233 DESCRIPTION: CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patterns and for request parameter...

Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in spring-cloud-starter-gateway-4.1.7.jar

Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of spring-cloud-starter-gateway-4.1.7.jar Vulnerability Details CVEID:CVE-2025-41235 DESCRIPTION: Spring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded headers from untrusted proxies. CWE:CWE-444: Inconsisten...

Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in setuptools-70.3.0-py3-none-any.whl

Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of setuptools-70.3.0-py3-none-any.whl Vulnerability Details CVEID:CVE-2025-47273 DESCRIPTION: setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal...

Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in http-proxy-middleware-2.0.7.tgz

Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of http-proxy-middleware-2.0.7.tgz Vulnerability Details CVEID:CVE-2025-32997 DESCRIPTION: In http-proxy-middleware before 2.0.9 and 3.x before 3.0.5, fixRequestBody proceeds even if bodyParser has failed. CWE:CWE-754: Improp...

Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in helpers-7.24.0.tgz

Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of helpers-7.24.0.tgz Vulnerability Details CVEID:CVE-2025-27789 DESCRIPTION: Babel is a compiler for writing next generation JavaScript. When using versions of Babel prior to 7.26.10 and 8.0.0-alpha.17 to compile regular...

Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in cryptography-44.0.0-cp37-abi3-macosx_10_9_universal2.whl

Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of cryptography-44.0.0-cp37-abi3-macosx109universal2.whl Vulnerability Details CVEID:CVE-2024-12797 DESCRIPTION: Issue summary: Clients using RFC7250 Raw Public Keys RPKs to authenticate a server may fail to notice that the...

Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in axios-1.6.1.tgz

Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of axios-1.6.1.tgz Vulnerability Details CVEID:CVE-2025-27152 DESCRIPTION: axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to...

Security Bulletin: Vulnerabilities in libxml2 may affect IBM Storage Archive

Summary A series of security vulnerabilities in libxml2 could compromise users' environments, the vulnerabilities might cause: buffer overflows, use-after-free, or memory leaks. These vulnerabilities could allow remote attackers to execute arbitrary code, cause denial of service, or crash...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in tomcat-embed-core-9.0.99.jar

Summary IBM Watson Discovery Cartridge contains a vulnerable version of tomcat-embed-core-9.0.99.jar . This security bulletin addresses the issue. Vulnerability Details CVEID:CVE-2025-31650 DESCRIPTION: Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some...

Security Bulletin: Multiple vulnerabilities that affects BigReplicate (CVE-2024-51504, CVE-2024-38821, CVE-2023-20863)

Summary zookeeper-3.9.2.jar, spring-aop-5.3.26.jar, spring-security-web-5.8.11.jar dependency packages are being used by IBM BigReplicate . This bulletin describes the upgrades necessary to address the vulnerability. Vulnerability Details CVEID:CVE-2024-51504 DESCRIPTION: When using...

Security Bulletin: IBM Datapower Operations Dashboard could potentially cause SSRF and credential leakage CVE-2025-27152

Summary Axios is used by the IBM Datapower Operations Dashboard for HTTP requests to communicate with servers or APIs Vulnerability Details CVEID:CVE-2025-27152 DESCRIPTION: axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than...

Security Bulletin: IBM Datapower Operations Dashboard could cause a native crash CVE-2025-24970

Summary Netty is used by the IBM Datapower Operations Dashboard for it's network application framework implementation Vulnerability Details CVEID:CVE-2025-24970 DESCRIPTION: Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final an...

Security Bulletin: IBM Datapower Operations Dashboard could allow a denial of service attack CWE-1321

Summary Axios is used by the IBM Datapower Operations Dashboard for HTTP requests to communicate with servers or APIs Vulnerability Details IBM X-Force ID: 294242 DESCRIPTION: Node.js Axios module is vulnerable to a denial of service, caused by a prototype pollution in the formDataToJSON function...

Security Bulletin: IBM Datapower Operations Dashboard could cause a denial of service CWE-1321

Summary Axios is used by the IBM Datapower Operations Dashboard for HTTP requests to communicate with servers or APIs Vulnerability Details IBM X-Force ID: 294242 DESCRIPTION: Node.js Axios module is vulnerable to a denial of service, caused by a prototype pollution in the formDataToJSON function...