Security Bulletin: DataStage on Cloud Pak for Data is vulnerable to regular expression DoS and command injection due to the python package (CVE-2024-6232, CVE-2024-9287)

Summary Python is used by DataStage on Cloud Pak for Data as part of data processing functionality. Vulnerability Details CVEID:CVE-2024-6232 DESCRIPTION: There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile...

Security Bulletin: IBM® Db2® is vulnerable to a denial of service under specific conditions (CVE-2024-52903)

Summary IBM® Db2® is vulnerable to a denial of service under specific conditions with a specially crafted query. Vulnerability Details CVEID:CVE-2024-52903 DESCRIPTION: IBM Db2 for Linux, UNIX and Windows includes Db2 Connect Server is vulnerable to a denial of service as the server may crash und...

Security Bulletin: IBM® Db2® is vulnerable to a denial of service under certain conditions. (CVE-2025-1493)

Summary IBM® Db2® is vulnerable to a denial of service due to concurrent execution of shared resources. Vulnerability Details CVEID:CVE-2025-1493 DESCRIPTION: IBM Db2 for Linux, UNIX and Windows includes Db2 Connect Server could allow an authenticated user to cause a denial of service due to...

Security Bulletin: IBM® Db2® is vulnerable to a denial of service when connecting to a z/OS database. (CVE-2025-1000)

Summary IBM® Db2® is vulnerable to a denial of service when connecting to a z/OS database due to improper handling of automatic client rerouting. Vulnerability Details CVEID:CVE-2025-1000 DESCRIPTION: IBM Db2 for Linux, UNIX and Windows includes Db2 Connect Server could allow an authenticated use...

Security Bulletin: IBM® Db2® is vulnerable to a denial of service due to insufficient release of allocated memory after usage. (CVE-2025-1992)

Summary IBM® Db2® is vulnerable to a denial of service due to insufficient release of allocated memory after usage under federation configuration. Vulnerability Details CVEID:CVE-2025-1992 DESCRIPTION: IBM Db2 for Linux, UNIX and Windows includes DB2 Connect Server could allow an authenticated us...

Security Bulletin: IBM® Db2® federated server is vulnerable to a denial of service due to insufficient release of allocated memory resources. (CVE-2025-0915)

Summary IBM® Db2® is vulnerable to a denial of service due to insufficient release of allocated memory resources. Vulnerability Details CVEID:CVE-2025-0915 DESCRIPTION: IBM Db2 for Linux, UNIX and Windows includes Db2 Connect Server under specific configurations could allow an authenticated user ...

Security Bulletin: IBM® Db2® is vulnerable to denial of service as the server may crash under certain conditions with a specially crafted query on columnar tables (CVE-2024-49350)

Summary IBM Db2 for Linux, UNIX and Windows includes Db2 Connect Server is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query on columnar tables. Vulnerability Details CVEID:CVE-2024-49350 DESCRIPTION: IBM Db2 for Linux, UNIX and...

Security Bulletin: IBM® Db2® is vulnerable to a denial of service as the server may crash under certain conditions (CVE-2025-2518).

Summary IBM Db2 for Linux, UNIX and Windows includes Db2 Connect Server is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query. Vulnerability Details CVEID:CVE-2025-2518 DESCRIPTION: IBM Db2 for Linux, UNIX and Windows includes Db2...

Security Bulletin: IBM® Db2® is affected by a vulnerability in the hadoop-common library (CVE-2024-23454).

Summary IBM® Db2® is vulnerable to an issue in Apache Hadoop which could allow a local authenticated attacker to access sensitive information. Vulnerability Details CVEID:CVE-2024-23454 DESCRIPTION: Apache Hadoop could allow a local authenticated attacker to obtain sensitive information, caused b...

Security Bulletin: IBM® Db2® federated server is vulnerable to unbounded recursions due to a vulnerability in protobuf-java (CVE-2024-7254).

Summary Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite...

Security Bulletin: IBM® Db2® is affected by a vulnerability in protobuf-java (CVE-2022-3510, CVE-2022-3509, CVE-2022-3171).

Summary protobuf-java core and lite are vulnerable to a denial of service, caused by a flaw in the parsing procedure for binary and text format data. By sending non-repeated embedded messages with repeated or unknown fields, a remote authenticated attacker could exploit this vulnerability to caus...

Security Bulletin: IBM® Db2® federated server is affected by a vulnerability in Apache Parquet (CVE-2025-30065).

Summary Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code. Users are recommended to upgrade to version 1.15.1, which fixes the issue. Note: A Db2 server is not vulnerable to CVE-2025-30065 if the database manager...

Security Bulletin: IBM® Db2® is vulnerable to a denial of service under certain conditions (CVE-2025-3050).

Summary IBM Db2 for Linux, UNIX and Windows includes DB2 Connect Server could allow an authenticated user to cause a denial of service when using Q replication due to the improper allocation of CPU resources. Vulnerability Details CVEID:CVE-2025-3050 DESCRIPTION: IBM Db2 for Linux, UNIX and Windo...

Security Bulletin: DataStage on Cloud Pak for Data is vulnerable to unwanted disconnects due to the gRPC package (CVE-2023-33953)

Summary gRPC is used by DataStage on Cloud Pak for Data as part of service communication. Vulnerability Details CVEID:CVE-2023-33953 DESCRIPTION: gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional...

Security Bulletin: DataStage on Cloud Pak for Data is vulnerable to several issues due to the Python package (CVE-2024-6232, CVE-2024-7592, CVE-2024-7592)

Summary Python is used by DataStage on Cloud Pak for Data as part of data processing functionality. Vulnerability Details CVEID:CVE-2024-6232 DESCRIPTION: There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile...

Security Bulletin: DataStage on Cloud Pak for Data is vulnerable to out of bounds memory access due to the libssh2 package (CVE-2020-22218)

Summary libssh2 is used by DataStage on Cloud Pak for Data as part of secure communications. Vulnerability Details CVEID:CVE-2020-22218 DESCRIPTION: An issue was discovered in function libssh2packetadd in libssh2 1.10.0 allows attackers to access out of bounds memory. CWE:CWE-787: Out-of-bounds...

Security Bulletin: DataStage on Cloud Pak for Data is vulnerable to remote code execution due to the setuptools package (CVE-2025-47273)

Summary Setuptools is used by DataStage on Cloud Pak for Data as part of package handling. Vulnerability Details CVEID:CVE-2025-47273 DESCRIPTION: setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in...

Security Bulletin: DataStage on Cloud Pak for Data is vulnerable to signature forgery due to the node-forge package (CVE-2022-24771, CVE-2022-24772 )

Summary Node-forge is used by DataStage on Cloud Pak for Data as part of connection encryption. Vulnerability Details CVEID:CVE-2022-24771 DESCRIPTION: Forge also called node-forge is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS1 v1.5 signatu...

Security Bulletin: DataStage on Cloud Pak for Data is vulnerable to prototype pollution due to the protobufjs package (CVE-2022-25878)

Summary Protobufjs is used by DataStage on Cloud Pak for Data as part of data serialization. Vulnerability Details CVEID:CVE-2022-25878 DESCRIPTION: The package protobufjs before 6.11.3 are vulnerable to Prototype Pollution which can allow an attacker to add/modify properties of the...

Security Bulletin: IBM OpenPages is affected by multiple security vulnerabilities of DB2 Database Server (May 2025)

Summary IBM® Db2® Database Server is shipped as a supporting program of IBM OpenPages. Information about security vulnerabilities affecting IBM Db2 Database Server has been published in multiple security bulletins. Vulnerability Details Refer to the security bulletins listed in the...

Security Bulletin: IBM Maximo Application Suite uses axios-1.7.7.tgz which is vulnerable to CVE-2024-57965.

Summary IBM Maximo Application Suite uses axios-1.7.7.tgz which is vulnerable to CVE-2024-57965. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2024-57965 DESCRIPTION: In axios before 1.7.8, lib/helpers/isURLSameOrigin.js does not u...

Security Bulletin: IBM watsonx Code Assistant On Prem product impacted by Input Handling Vulnerability in Transformers 4.49.0

Summary A vulnerability CVE-2025-1194 has been identified in the Transformers Python package version 4.49.0, which impacts the IBM watsonx Code Assistant On-Premises product. The issue arises from improper input validation during model configuration loading, which may allow attackers to execute...

Security Bulletin: Jackson-Core Prior to 2.15.0 Due to Unbounded Nesting in JSON Input

Summary jackson-core contains core low-level incremental "streaming" parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the depth is...

Security Bulletin: Arbitrary Code Execution via JaninoEventEvaluator in Logback-Core through Malicious Configuration Files or Environment Variables

Summary ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core upto including version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 in Java applications allows attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before...

Security Bulletin: SSRF Vulnerability in QOS.CH Logback via Malicious DOCTYPE in XML Config (v0.1–1.3.14, 1.4.0–1.5.12)

Summary Server-Side Request Forgery SSRF in SaxEventRecorder by QOS.CH logback version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 on the Java platform, allows an attacker to forge requests by compromising logback configuration files in XML. The attacks involves the modification of DOCTYPE declaration in X...

Security Bulletin: IBM Engineering Systems Design Rhapsody was affected by CVE-2025-33077

Summary IBM Engineering Systems Design Rhapsody was vulnerable to a stack-based buffer overflow, caused by improper bounds checking. A local user could overflow the buffer and execute arbitrary code on the system. Vulnerability Details CVEID:CVE-2025-33077 DESCRIPTION: IBM Engineering Systems...

Security Bulletin: IBM Engineering Systems Design Rhapsody was affected by CVE-2025-33020

Summary IBM Engineering Systems Design Rhapsody was vulnerable to transmits sensitive information without encryption that could allow an attacker to obtain highly sensitive information. Vulnerability Details CVEID:CVE-2025-33020 DESCRIPTION: IBM Engineering Systems Design Rhapsody transmits...

Security Bulletin: IBM Engineering Systems Design Rhapsody was affected by CVE-2024-38434

Summary IBM Engineering Systems Design Rhapsody was vulnerable to use of Potentially Dangerous Function which may allow security feature bypass Vulnerability Details CVEID:CVE-2024-38434 DESCRIPTION: Unitronics Vision PLC – CWE-676: Use of Potentially Dangerous Function may allow security feature...

Security Bulletin: IBM WebSphere Application Server shipped with Jazz for Service Management (JazzSM) is affected by a denial of service

Summary IBM WebSphere Application Server shipped with Jazz for Service Management JazzSM is affected by a denial of service CVE-2025-36097 Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions Affected Products| Versions ---|-...

Security Bulletin: IBM WebSphere Application Server shipped with Jazz for Service Management (JazzSM) is affected by a security bypass vulnerability

Summary IBM WebSphere Application Server shipped with Jazz for Service Management JazzSM is affected by a security bypass vulnerability CVE-2024-56339 Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions Affected Products|...

Security Bulletin: IBM Engineering Systems Design Rhapsody was affected by CVE-2025-33076

Summary IBM Engineering Systems Design Rhapsody was vulnerable to a stack-based buffer overflow, caused by improper bounds checking. A local user could overflow the buffer and execute arbitrary code on the system. Vulnerability Details CVEID:CVE-2025-33076 DESCRIPTION: IBM Engineering Systems...

Security Bulletin: Netty SslHandler Vulnerability Leads to Native Crash via Crafted Packet

Summary Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which...

Security Bulletin: IBM Db2 Mirror for i GUI is affected by cross-site WebSocket hijacking and session fixation vulnerabilities [CVE-2025-36116, CVE-2025-36117].

Summary IBM Db2 Mirror for i GUI is affected by cross-site WebSocket hijacking and session fixation vulnerabilities as described in the vulnerability details section. This bulletin identifies the steps to take to address the vulnerabilities as described in the remediation/fixes section...

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Business Service Manager (CVE-2025-21587, CVE-2025-30698, CVE-2025-4447)

Summary IBM® SDK, Java™ Technology Edition is shipped as a component of IBM Tivoli Business Service Manager. Information about security vulnerabilities affecting IBM® SDK, Java™ Technology Edition has been published in a security bulletin. Vulnerability Details Refer to the security bulletins...

Security Bulletin: IBM Integration Designer is vulnerable to denial of service (CVE-2025-48976, CVE-2025-48924)

Summary Vulnerability in Apache Commons FileUpload and Commons Lang used by IBM Integration Designer. IBM Integration Designer has addressed CVE-2025-48976 and CVE-2025-48924. Vulnerability Details CVEID:CVE-2025-48976 DESCRIPTION: Allocation of resources for multipart headers with insufficient...

Security Bulletin: IBM WebSphere Application Server and WebSphere Application Server Liberty, which are bundled with WebSphere Remote Server, are affected by a security bypass vulnerability (CVE-2024-56339)

Summary IBM WebSphere Application Server and WebSphere Application Server Liberty are shipped with IBM WebSphere Remote Server. Information about a security vulnerability affecting IBM WebSphere Application Server and WebSphere Application Server Liberty has been published in a security bulletin...

Security Bulletin: Host Header Injection Vulnerability in IBM Operations Analytics - Log Analysis (CVE-2024-40686)

Summary Host header vulnerability in IBM Operations Analytics - Log Analysis allows remote attackers to execute scripts within the application context via remote file inclusion. This has been addressed. Vulnerability Details CVEID:CVE-2024-40686 DESCRIPTION: IBM SmartCloud Analytics - Log Analysi...

Security Bulletin: IBM WebSphere Application Server and WebSphere Application Server Liberty, which are bundled with WebSphere Remote Server, are affected by a denial of service (CVE-2025-36097)

Summary IBM WebSphere Application Server and WebSphere Application Server Liberty are shipped with IBM WebSphere Remote Server. Information about a security vulnerability affecting IBM WebSphere Application Server and WebSphere Application Server Liberty has been published in a security bulletin...

Security Bulletin: IBM HTTP Server, which is bundled with WebSphere Remote Server, is affected by multiple vulnerabilities due to the included Apache HTTP Server

Summary IBM HTTP Server is shipped with IBM WebSphere Remote Server. Information about security vulnerabilities affecting IBM HTTP Server has been published in a security bulletin. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and...

Security Bulletin: Input Validation and Client-Side Bypass Vulnerabilities in IBM Operations Analytics - Log Analysis (CVE-2024-40682, CVE-2024-41750)

Summary Vulnerabilities in IBM Operations Analytics - Log Analysis allow bypassing client-side validation checks for allowable characters, and failure to validate input from the environment. This has been addressed. Vulnerability Details CVEID:CVE-2024-40682 DESCRIPTION: IBM SmartCloud Analytics ...

Security Bulletin: Multiple security vulnerabilities in IBM SDK, Java Technology Edition affects IBM OpenPages

Summary IBM® SDK, Java™ Technology Edition is shipped as a supporting program of IBM OpenPages. Information about a security vulnerability affecting IBM SDK, Java Technology Edition has been published in multiple security bulletins. These products have addressed the applicable CVEs. For a complet...

Security Bulletin: A Function Level Control vulnerability in IBM Operations Analytics - Log Analysis (CVE-2024-41751)

Summary A privilege escalation vulnerability exists in IBM Operations Analytics - Log Analysis. It allows low-privilege users to change the password of high-privilege accounts through intercepting the request. This has been addressed. Vulnerability Details CVEID:CVE-2024-41751 DESCRIPTION: IBM...

Security Bulletin: IBM Security QRadar Network Threat Analytics app for IBM QRadar SIEM includes components with known vulnerabilities

Summary The product includes vulnerable components e.g., framework libraries that may be identified and exploited with automated tools. IBM Security QRadar Network Threat Analytics app for IBM QRadar SIEM has addressed the applicable CVEs. Vulnerability Details CVEID:CVE-2024-1135 DESCRIPTION:...

Security Bulletin: IBM Security QRadar Network Threat Analytics app for IBM QRadar SIEM is affected by denial of service (CVE-2024-38335)

Summary IBM Security QRadar Network Threat Analytics app for IBM QRadar SIEM is affected by denial of service due to improper allocation of resources. This issue has been addressed in the latest update. Vulnerability Details CVEID:CVE-2024-38335 DESCRIPTION: IBM Security QRadar Network Threat...

Security Bulletin: Multiple Vulnerabilities in IBM watsonx Code Assistant On Prem

Summary Multiple vulnerabilities were addressed in IBM watsonx Code Assistant On Prem V5.1.3 Vulnerability Details CVEID:CVE-2025-3136 DESCRIPTION: A vulnerability, which was classified as problematic, has been found in PyTorch 2.6.0. This issue affects the function...

Security Bulletin: IBM Cloud Pak System is vulnerable to an Improper Access Control due to use of Apache Commons BeanUtils [CVE-2025-48734]

Summary Due to use of Apache Commons BeanUtils IBM Cloud Pak System is vulnerable to an Improper Access Control. IBM Cloud Pak System addressed vulnerability. Vulnerability Details CVEID:CVE-2025-48734 DESCRIPTION: Improper Access Control vulnerability in Apache Commons. A special BeanIntrospecto...

Security Bulletin: IBM Virtualization Engine TS7700 is susceptible to tampering and elevation of privilege (CVE-2025-30065) due to the use of IBM Db2

Summary IBM Virtualization Engine TS7700 is susceptible to a tampering and privilege escalation vulnerability CVE-2025-30065, due to the use of IBM Db2, which is primarily embedded to store metadata related to the data it manages. Additionally, this patch also includes updates for other...

Security Bulletin: IBM Virtualization Engine TS7700 is susceptible to Tampering and Elevation of Privilege due to the use of AIX NIM

Summary The use of AIX NIM exposes IBM Virtualization Engine TS7700 to vulnerabilities identified as CVE-2024-56346 and CVE-2024-56347, making it susceptible to tampering and privilege escalation attacks. These weaknesses in AIX could be exploited by a remote attacker to execute unauthorized...

Security Bulletin: IBM Cognos Analytics Mobile (Android) is affected by a vulnerability in Babel (CVE-2025-27789)

Summary There is a vulnerability in Babel/helpers and Babel/runtime consumed by IBM Cognos Analytics Mobile Android CVE-2025-27789. This Security Bulletin relates only to the direct usage of third-party components by IBM Cognos Analytics Mobile and not any nested dependencies within the product...

Security Bulletin: IBM Cognos Analytics Mobile (iOS) is affected by multiple vulnerabilities

Summary There are vulnerabilities in Babel/helpers and Babel/runtime consumed by IBM Cognos Analytics Mobile iOS. Additionally, IBM Cognos Analytics Mobile iOS is vulnerable to Information Disclosure, Authentication Bypass and Insecure Transmission vulnerabilities. This Security Bulletin relates...