35608 matches found
Security Bulletin:IBM Event Streams is vulnerable to Regular Expression Denial of Service (ReDoS) ( CVE-2025-1302).
Summary IBM Event Streams is vulnerable to Regular Expression Denial of Service ReDoS caused by Inefficient Regular Expression Complexity. This issue affects JavaScript code that is compiled using certain versions of Babel . Babel is a JavaScript transcompiler used for converting modern JavaScrip...
Security Bulletin:IBM Event Streams is vulnerable to HTTP Parameter Pollution (HPP) attack (CVE-2025-7783).
Summary IBM Event Streams is vulnerable to an HTTP Parameter Pollution HPP attack due to the use of random values in the form-data module. This vulnerability affects how data from HTML forms is processed, particularly during form submission or when interacting with event listeners tied to form...
Security Bulletin:urllib3 before 2.5.0 fails to properly enforce redirect controls in PoolManager and Pyodide environments, exposing apps to SSRF and open redirect risks
Summary urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a PoolManager and specifying retries in a way that disable redirects. By default, requests and botocore users are not affected. An application...
Security Bulletin: Axios before 1.8.2 allows SSRF and credential leakage when using absolute URLs despite baseURL setting
Summary axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This...
Security Bulletin: Axios exposes confidential XSRF-TOKEN in all requests via X-XSRF-TOKEN header
Summary An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information. Vulnerability Details CVEID:CVE-2023-45857 DESCRIPTIO...
Security Bulletin: Axios before 1.7.8 uses setAttribute('href') in isURLSameOrigin.js, raising potential security concern
Summary In axios before 1.7.8, lib/helpers/isURLSameOrigin.js does not use a URL object when determining an origin, and has a potentially unwanted setAttribute'href',href call. NOTE: some parties feel that the code change only addresses a warning message from a SAST tool and does not fix a...
Security Bulletin: urllib3 Proxy-Authorization header only applies with ProxyManager, not direct requests
Summary urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with ProxyManager, the Proxy-Authorization header is only sent to the configured proxy, as expected. However, when sending HTTP requests without using urllib3's proxy support, it's possible to...
Security Bulletin: Vulnerability in certifi, flask, idna, urllib3 and axios might affect IBM Storage Defender Sentinel Anomaly Scan Engine.
Summary IBM Storage Defender Sentinel Anomaly Scan Engine can be affected by vulnerabilities in certifi, flask, idna, urllib3 and axios. Vulnerabilities include allowing an attacker to cause a denial of service, obtain sensitive information and gain access to launch further attacks on the systems...
Security Bulletin: A vulnerability has been identified in OPUPI0 AMQP/MQTT (All versions < V5.30).
Summary A vulnerability has been identified in OPUPI0 AMQP/MQTT All versions V5.30. Vulnerability Details CVEID:CVE-2024-31486 DESCRIPTION: A vulnerability has been identified in OPUPI0 AMQP/MQTT All versions V5.30. The affected devices stores MQTT client passwords without sufficient protection o...
Security Bulletin: Passing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError.
Summary Passing a heavily nested list to sqlparse.parse leads to a Denial of Service due to RecursionError. Vulnerability Details CVEID:CVE-2024-4340 DESCRIPTION: Passing a heavily nested list to sqlparse.parse leads to a Denial of Service due to RecursionError. CWE:CWE-674: Uncontrolled Recursio...
Security Bulletin: IBM i is affected by a security configuration vulnerability in IBM WebSphere Application Server Liberty [CVE-2024-56339]
Summary IBM WebSphere Application Server Liberty for IBM i is vulnerable to bypassing of security restrictions caused by failure to honor the security configuration CVE-2024-56339 as described in the vulnerability details section. Vulnerability Details CVEID:CVE-2024-56339 DESCRIPTION: IBM...
Security Bulletin: Multiple vulnerabilities may affect IBM Decision Optimization for IBM Cloud Pak for Data (CVE-2025-5889, CVE-2025-7339)
Summary There are multiple vulnerabilities in brace-expansion and on-headers used by IBM Decision Optimization for IBM Cloud Pak for Data. IBM Decision Optimization for IBM Cloud Pak for Data has addressed the applicable CVEs. Vulnerability Details CVEID:CVE-2025-5889 DESCRIPTION: A vulnerability...
Security Bulletin: Vulnerabilities in Linux Kernel might affect IBM Storage Defender Copy Data Management
Summary IBM Storage Defender Copy Data Management can be affected by vulnerabilities in Linux Kernel. A local attacker could exploit this vulnerability to cause a denial of service Vulnerability Details IBM X-Force ID: 383938 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused ...
Security Bulletin: Vulnerabilities in Marked, Minimatch and Logback might affect IBM Storage Defender Copy Data Management
Summary IBM Storage Defender Copy Data Management can be affected by vulnerabilities in Marked, Minimatch and Logback. Vulnerabilities include causing regular expression denial of service ReDoS, allows an attacker to mount a Denial-Of-Service attack by sending poisoned data, and allowing to execu...
Security Bulletin: Vulnerabilities in Bouncy Castle, Eclipse JGit and Node.js diff might affect IBM Storage Defender Copy Data Management
Summary IBM Storage Defender Copy Data Management can be affected by vulnerabilities in Bouncy Castle, Eclipse JGit and Node.js diff. Vulnerabilities include vulnerable to padding oracle attack, allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistic...
Security Bulletin: Vulnerabilities in Jettison, Hawk and tim-newlines might affect IBM Storage Defender Copy Data Management.
Summary IBM Storage Defender Copy Data Management can be affected by vulnerabilities in Jettison, Hawk and tim-newlines. Vulnerabilities include causing a denial of service attack, causing a Denial of Service DoS via crafted JSON data, allows attackers to cause a Denial of Service DoS via a craft...
Security Bulletin: Vulnerabilities in Netty-codec and Netty-handler might affect IBM Storage Defender Copy Data Management
Summary IBM Storage Defender Copy Data Management can be affected by vulnerabilities in Netty-codec and Netty-handler. Vulnerabilities include an incorrect validation of special crafted packet via SslHandler can lead to a native crash, the SniHandler can allocate up to 16MB of heap for each chann...
Security Bulletin: Vulnerabilities in Apache Tomcat and form-data might affect IBM Storage Defender Copy Data Management.
Summary IBM Storage Defender Copy Data Management can be affected by vulnerabilities in Apache Tomcat and form-data. Vulnerabilities include a memory leak which result in a denial of service, possible for a specially crafted request to bypass some rewrite rules which could be bypassed security...
Security Bulletin: IBM i is affected by denial of service vulnerabilities in IBM WebSphere Application Server Liberty [CVE-2025-36097, CVE-2025-36047, CVE-2025-48976]
Summary IBM WebSphere Application Server Liberty for IBM i is vulnerable to a denial of service by sending a specially crafted request that causes the server to consume excessive memory resources CVE-2025-36097, CVE-2025-36047 and by allocation of resources for multipart headers with insufficient...
Security Bulletin: Multiple vulnerabilities in IBM Aspera HTTP Gateway
Summary Multiple vulnerabilities were addressed in IBM Aspera HTTP Gateway version 2.3.2. Vulnerability Details CVEID:CVE-2025-36274 DESCRIPTION: IBM Aspera HTTP Gateway stores sensitive information in clear text in easily obtainable files which can be read by an unauthenticated user. CWE:CWE-312...
Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in llama_index-0.12.29-py3-none-any.whl
Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of llamaindex-0.12.29-py3-none-any.whl Vulnerability Details CVEID:CVE-2025-1793 DESCRIPTION: Multiple vector store integrations in run-llama/llamaindex version v0.12.21 have SQL injection vulnerabilities. These vulnerabiliti...
Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in jsonpath-plus-10.2.0.tgz
Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of jsonpath-plus-10.2.0.tgz Vulnerability Details CVEID:CVE-2025-1302 DESCRIPTION: Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution RCE due to improper input sanitization. An attacke...
Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in h11-0.14.0-py3-none-any.whl
Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of h11-0.14.0-py3-none-any.whl Vulnerability Details CVEID:CVE-2025-43859 DESCRIPTION: h11 is a Python implementation of HTTP/1.1. Prior to version 0.16.0, a leniency in h11's parsing of line terminators in chunked-coding...
Security Bulletin: IBM Lakehouse stores potentially sensitive information in log files that could be read by a local user, affects watsonx.data
Summary IBM Lakehouse stores potentially sensitive information in log files that could be read by a local user. This could affect watsonx.data. Vulnerability Details CVEID:CVE-2025-36144 DESCRIPTION: IBM Lakehouse stores potentially sensitive information in log files that could be read by a local...
Security Bulletin: A vulnerability in Formidable (aka node-formidable) may affect IBM Decision Optimization for IBM Cloud Pak for Data (CVE-2025-46653)
Summary There is a vulnerability in Formidable aka node-formidable used by IBM Decision Optimization for IBM Cloud Pak for Data. IBM Decision Optimization for IBM Cloud Pak for Data has addressed the applicable CVE. Vulnerability Details CVEID:CVE-2025-46653 DESCRIPTION: Formidable aka...
Security Bulletin: A vulnerability in Apache Commons Lang may affect IBM Decision Optimization for IBM Cloud Pak for Data (CVE-2025-48924)
Summary There is a vulnerability in Apache Commons Lang used by IBM Decision Optimization for IBM Cloud Pak for Data. IBM Decision Optimization for IBM Cloud Pak for Data has addressed the applicable CVE. Vulnerability Details CVEID:CVE-2025-48924 DESCRIPTION: Uncontrolled Recursion vulnerability...
Security Bulletin: TS4500 Tape Library/Diamondback Tape Library addresses security vulnerability CVE-2024-43192
Summary Certain HTML forms in the web GUI did not use anti-CSRF tokens, allowing attackers to trick authenticated users into performing unintended actions. The issue has been resolved by adding CSRF protection to the affected forms. Vulnerability Details CVEID:CVE-2024-43192 DESCRIPTION: IBM...
Security Bulletin: Multiple Vulnerabilities in IBM API Connect
Summary Multiple vulnerabilities were addressed in IBM API Connect version 10.0.8.4 Vulnerability Details CVEID:CVE-2016-10228 DESCRIPTION: The iconv program in the GNU C Library aka glibc or libc6 2.31 and earlier, when invoked with multiple suffixes in the destination encoding TRANSLATE or IGNO...
Security Bulletin: IBM Guardium Data Security Center is affected by multiple vulnerabilities
Summary IBM Guardium Data Security Center has addressed these vulnerabilties with an update. Vulnerability Details CVEID:CVE-2021-43784 DESCRIPTION: runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc, netlink is used internally as a...
Security Bulletin: Multiple vulnerabilities in IBM Aspera Console
Summary Multiple vulnerabilities were addressed in IBM Aspera Console version 3.4.7. Vulnerability Details CVEID:CVE-2022-44566 DESCRIPTION: A denial of service vulnerability present in ActiveRecord's PostgreSQL adapter 7.0.4.1 and 6.1.7.1. When a value outside the range for a 64bit signed intege...
Security Bulletin: Vulnerability in Apache Tomcat affects IBM watsonx Assistant Cartridge and IBM watsonx Orchestrate with watsonx Assistant Cartridge.
Summary Potential vulnerability in Apache Tomcat has been identified that affects IBM watsonx Assistant Cartridge and IBM watsonx Orchestrate with watsonx Assistant Cartridge - Assistant Builder Component. . The vulnerability have been addressed. Refer to details for additional information...
Security Bulletin: Vulnerability in FreeType affects IBM watsonx Assistant Cartridge and IBM watsonx Orchestrate with watsonx Assistant Cartridge.
Summary Potential vulnerability in FreeType has been identified that affects IBM watsonx Assistant Cartridge and IBM watsonx Orchestrate with watsonx Assistant Cartridge - Assistant Builder Component. . The vulnerability have been addressed. Refer to details for additional information...
Security Bulletin: Vulnerabilities in pbkdf2 affects IBM watsonx Assistant Cartridge and IBM watsonx Orchestrate with watsonx Assistant Cartridge.
Summary Potential vulnerabilities in pbkdf2 has been identified that affects IBM watsonx Assistant Cartridge and IBM watsonx Orchestrate with watsonx Assistant Cartridge - Assistant Builder Component. . The vulnerability have been addressed. Refer to details for additional information...
Security Bulletin: Vulnerability in Apache Tomcat affects IBM watsonx Assistant Cartridge and IBM watsonx Orchestrate with watsonx Assistant Cartridge.
Summary Potential vulnerabilities in Apache Tomcat has been identified that affects IBM watsonx Assistant Cartridge and IBM watsonx Orchestrate with watsonx Assistant Cartridge - Assistant Builder Component. . The vulnerability have been addressed. Refer to details for additional information...
Security Bulletin: IBM App Connect Enterprise Certified Container operands are vulnerable to HTTP parameter pollution [CVE-2025-7783]
Summary Node.js module form-data is used by IBM App Connect Enterprise Certified Container. IBM App Connect Enterprise Certified Container operands are vulnerable to HTTP parameter pollution. This bulletin provides patch information to address the reported vulnerability in Node.js module form-dat...
Security Bulletin: Due to the use of CKEditor, IBM Engineering Lifecycle Management - Jazz Foundation is affected by a Cross-Site scripting vulnerability
Summary Below vulnerability has been identified in CKEditor, which has been addressed by IBM Engineering Lifecycle Management - Jazz Foundation. Vulnerability Details CVEID:CVE-2023-4771 DESCRIPTION: A Cross-Site scripting vulnerability has been found in CKSource CKEditor affecting versions 4.15....
Security Bulletin: Multiple vulnerabilities in IBM MQ Operator and Queue manager container images
Summary Multiple vulnerabilities were addressed in IBM MQ Operator and Queue manager container images Vulnerability Details CVEID:CVE-2025-22874 DESCRIPTION: Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected...
Security Bulletin: The IBM® Engineering Lifecycle Management - Jazz Foundation is impacted by Relative Path Traversal vulnerability.
Summary A vulnerability has been identified in IBM Engineering Lifecycle Management -Jazz Foundation, due to relative path traversal. This bulletin contains information regarding vulnerabilities and remediation actions. Vulnerability Details CVEID:CVE-2025-25048 DESCRIPTION: IBM Jazz Foundation...
Security Bulletin: IBM Transformation Advisor is affected by multiple vulnerabilities found in Java, Node.js and IBM WebSphere Application Server Liberty
Summary There are multiple vulnerabilities in Java, Node.js and IBM WebSphere Application Server Liberty used by IBM Transformation Advisor. Vulnerability Details CVEID:CVE-2025-36047 DESCRIPTION: IBM WebSphere Application Server Liberty 18.0.0.2 through 25.0.0.8 is vulnerable to a denial of...
Security Bulletin: IBM Application Modernization Accelerator is affected by multiple vulnerabilities found in Java, Node.js and IBM WebSphere Application Server Liberty
Summary There are multiple vulnerabilities in Java, Node.js and IBM WebSphere Application Server Liberty used by IBM Application Modernization Accelerator. Vulnerability Details CVEID:CVE-2025-36000 DESCRIPTION: IBM WebSphere Application Server Liberty 17.0.0.3 through 25.0.0.8 is vulnerable to...
Security Bulletin: Multiple vulnerabilities in IBM® SDK, Java™ Technology Edition affect IBM Tivoli Network Manager (CVE-2025-50106, CVE-2025-30749, CVE-2025-30761, CVE-2025-30754).
Summary Multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 17, used by IBM Tivoli Network Manager IP Edition v4.2 core components. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions Affected Products|...
Security Bulletin: Vulnerabilities exists in IBM Netezza Performance Server Replication Services
Summary Vulnerabilities exists in IBM Netezza Performance Server Replication Services are addressed in 3.0.5.0 Vulnerability Details CVEID:CVE-2023-44981 DESCRIPTION: Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper. If SASL Quorum Peer authentication is enabled ...
Security Bulletin: IBM Maximo Application Suite - Manage Component uses org.eclipse.core.runtime 3.10.0.v20140318-2214 which is vulnerable to CVE-2023-4218
Summary IBM Maximo Application Suite - Manage Component uses org.eclipse.core.runtime 3.10.0.v20140318-2214 which is vulnerable to CVE-2023-4218.This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2023-4218 DESCRIPTION: In Eclipse IDE...
Security Bulletin: IBM Maximo Application Suite - Monitor Component is vulnerable to form-data-4.0.3.tgz CVE-2025-7783
Summary IBM Maximo Application Suite - Monitor Component is vulnerable to form-data-4.0.3.tgz CVE-2025-7783. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2025-7783 DESCRIPTION: Use of Insufficiently Random Values vulnerability in...
Security Bulletin: Multiple vulnerabilities in IBM Semeru Runtime may affect IBM Decision Optimization for IBM Cloud Pak for Data (CVE-2025-30749, CVE-2025-30754, CVE-2025-30761, CVE-2025-50059 and CVE-2025-50106)
Summary There are multiple vulnerabilities in IBM® Semeru Runtime Version 17 used by IBM Decision Optimization for IBM Cloud Pak for Data. IBM Decision Optimization for IBM Cloud Pak for Data has addressed the applicable CVEs. Vulnerability Details CVEID:CVE-2025-50059 DESCRIPTION: Vulnerability ...
Security Bulletin: Vulnerabilities Addressed in IBM Tivoli Network Configuration Manager IP Edition (ITNCM) version 6.4.2 Fix Pack 23 (6.4.2.23)
Summary Multiple vulnerabilities were addressed in ITNCM version 6.4.2 Fix Pack 23 6.4.2.23 Vulnerability Details CVEID:CVE-2025-48924 DESCRIPTION: Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to...
Security Bulletin: The following vulnerabilities that can affect IBM Storage Scale and the Cloudkit are now included (CVE-2025-30204)
Summary The following vulnerabilities that can affect IBM Storage Scale and the Cloudkit and could provide weaker than expected security are now fixed CVE-2025-30204. Vulnerability Details CVEID:CVE-2025-30204 DESCRIPTION: golang-jwt is a Go implementation of JSON Web Tokens. Starting in version...
Security Bulletin: IBM Watsonx BI is affected by a vulnerability found in libxml2
Summary IBM Watsonx BI is affected by a vulnerability found in libxml2. Processing certain sch:name elements from the input XML file can trigger a memory corruption issue. This flaw allows an attacker to craft a malicious XML input file that can lead libxml to crash, resulting in a denial of...
Security Bulletin: IBM Watsonx BI is affected by use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP).
Summary Watsonx BI use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution HPP. This vulnerability is associated with program files lib/formdata.Js. Vulnerability Details CVEID:CVE-2025-7783 DESCRIPTION: Use of Insufficiently Random Values vulnerability in...
Security Bulletin: Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for August 2025.
Summary In addition to many updates of operating system level packages, the following security vulnerabilities are addressed with IBM Cloud Pak for Business Automation 24.0.0-IF006, 24.0.1-IF004 and 25.0.0-IF001. Vulnerability Details CVEID:CVE-2025-7783 DESCRIPTION: Use of Insufficiently Random...