Security Bulletin: Vulnerability in cryptography affects IBM Cloud Pak for Data System 2.0 (CPDS 2.0) [CVE-2023-23931]

Summary The cryptography package is used by IBM Cloud Pak for Data System 2.0 . IBM Cloud Pak for Data System 2.0 has addressed the applicable CVEs CVE-2023-23931 Vulnerability Details CVEID:CVE-2023-23931 DESCRIPTION: cryptography is a package designed to expose cryptographic primitives and...

Security Bulletin: IBM webMethods Integration Sever is affected by privilege escalation vulnerability via pub.scheduler.addOneTimeTask service

Summary IBM webMethods Integration Sever is affected by privilege escalation vulnerability via pub.scheduler.addOneTimeTask service. CVE-2025-36048 Vulnerability Details CVEID:CVE-2025-36048 DESCRIPTION: IBM webMethods Integration could allow a privileged user to escalate their privileges when...

Security Bulletin: IBM webMethods Integration Sever is affected by remote code execution via pub.xslt.transformSerialXML

Summary IBM webMethods Integration Sever is affected by remote code execution via pub.xslt.transformSerialXML. CVE-2025-36049 Vulnerability Details CVEID:CVE-2025-36049 DESCRIPTION: IBM webMethods Integration is vulnerable to an XML external entity injection XXE attack when processing XML data. A...

Security Bulletin: The Mailbox User Interface of IBM Sterling B2B Integrator and IBM Sterling File Gateway are vulnearble to XSS (CVE-2024-54183)

Summary IBM Sterling B2B Integrator and IBM Sterling File Gateway has addressed XSS in the mailbox user interface Vulnerability Details CVEID:CVE-2024-54183 DESCRIPTION: IBM Sterling B2B Integrator and IBM Sterling File Gateway is vulnerable to cross-site scripting. This vulnerability allows an...

Security Bulletin: Security Vulnerability in Protobuf-Java Affects Document Service Container of IBM Sterling B2B Integrator and IBM Sterling File Gateway (CVE-2024-7254)

Summary IBM Sterling B2B Integrator and IBM Sterling File Gateway have addressed the security vulnerability in Protobuf-Java. Vulnerability Details CVEID:CVE-2024-7254 DESCRIPTION: Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of...

Security Bulletin: IBM webMethods Integration Server is affected by vulnerable Google Guava 30.0 jar used in the GraphQL functionality

Summary Google Guava is used by IBM webMethods Integration Server as part of the GraphQL functionality. CVE-2023-2976, CVE-2020-8908. Vulnerability Details CVEID:CVE-2023-2976 DESCRIPTION: Use of Java's default temporary directory for file creation in FileBackedOutputStream in Google Guava versio...

Security Bulletin: DataStage on Cloud Pak for Data is vulnerable to domain certificate spoofing due to the OkHostnameVerifier.java package ( CVE-2021-0341)

Summary OkHostnameVerifier.java is used by DataStage on Cloud Pak for Data as part of hostname verification. Vulnerability Details CVEID:CVE-2021-0341 DESCRIPTION: In verifyHostName of OkHostnameVerifier.java, there is a possible way to accept a certificate for the wrong domain due to improperly...

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager (CVE-2025-21587, CVE-2025-30698, CVE-2025-4447)

Summary There are multiple vulnerabilities in IBM SDK Java Technology Edition used by IBM Tivoli System Automation Application Manager. Vulnerability Details CVEID:CVE-2025-21587 DESCRIPTION: An unspecified vulnerability in Java SE related to the Server: DDL component could allow a remote attacke...

Security Bulletin: Dashboard UI of IBM Sterling B2B Integrator and IBM Sterling File Gateway are vulnerable to Stored Cross-Site Scripting (CVE-2025-1349)

Summary IBM Sterling B2B Integrator and IBM Sterling File Gateway have addressed the stored cross-site scripting vulnerability. Vulnerability Details CVEID:CVE-2025-1349 DESCRIPTION: IBM Sterling B2B Integrator Standard Edition is vulnerable to stored cross-site scripting. This vulnerability allo...

Security Bulletin: IBM Sterling B2B Integrator and IBM Sterling File Gateway are vulnerable to Improper Cache Management. (CVE-2025-1348)

Summary IBM Sterling B2B Integrator and IBM Sterling File Gateway have addressed an Improper Cache Management vulnerability. Vulnerability Details CVEID:CVE-2025-1348 DESCRIPTION: IBM Sterling B2B Integrator Standard Edition could allow a local user to obtain sensitive information from a user’s w...

Security Bulletin: Security Vulnerability in Apache Commons IO Affect IBM Sterling B2B Integrator and IBM Sterling File Gateway (CVE-2024-47554)

Summary IBM Sterling B2B Integrator and IBM Sterling File Gateway have addressed the security vulnerability in Apache Commons IO Vulnerability Details CVEID:CVE-2024-47554 DESCRIPTION: Uncontrolled Resource Consumption vulnerability in Apache Commons IO. The...

Security Bulletin: Security Vulnerability in Apache Kafka Client Affects IBM Sterling B2B Integrator and IBM Sterling File Gateway (CVE-2024-31141)

Summary IBM Sterling B2B Integrator and IBM Sterling File Gateway have addressed the security vulnearbility in Apache Kafka Client Vulnerability Details CVEID:CVE-2024-31141 DESCRIPTION: Files or Directories Accessible to External Parties, Improper Privilege Management vulnerability in Apache Kaf...

Security Bulletin: IBM Sterling B2B Integrator and IBM Sterling File Gateway are vulnerable to Incorrect Authorization issues (CVE-2024-55905)

Summary IBM Sterling B2B Integrator and IBM Sterling File Gateway have addressed the authorization issue. Vulnerability Details CVEID:CVE-2024-55905 DESCRIPTION: IBM Sterling B2B Integrator could allow an unauthenticated user to connect to groups that they should not have access to due to incorre...

Security Bulletin: IBM Sterling B2B Integrator and IBM Sterling File Gateway are vulnerable to Cross-Site Requset Forgery (CVE-2024-54172)

Summary IBM Sterling B2B Integrator and IBM Sterling File Gateway are vulnerable to a cross-site request forgery vulnerability Vulnerability Details CVEID:CVE-2024-54172 DESCRIPTION: IBM Sterling B2B Integrator Standard Edition is vulnerable to cross-site request forgery which could allow an...

Security Bulletin: IBM Fusion and IBM Fusion HCI are vulnerable to request smuggling due to python package h11 (CVE-2025-43859)

Summary The python package h11 is used by IBM Fusion and IBM Fusion HCI as part of the Content Aware Storage service and the Backup and Restore service agent and is vulnerable to request smuggling under certain conditions due to CVE-2025-43859 in h11. Vulnerability Details CVEID:CVE-2025-43859...

Security Bulletin: Apache Parquet Common Vulnerability reported in Cloudera offerings with IBM. Fixes available from Cloudera.

Summary On April 1, 2025, a critical vulnerability in the parquet-avro module of Apache Parquet CVE-2025-30065, CVSS score 10.0 was announced. Vulnerability Details CVEID:CVE-2025-30065 DESCRIPTION: Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows ba...

Security Bulletin: Vulnerability in Apache POI library affect Tivoli Netcool/OMNIbus WebGUI (CVE-2025-31672)

Summary Apache POI library is used by Tivoli Netcool/OMNIbus WebGUI for Seasonal Event Graphs export feature. Vulnerability Details CVEID:CVE-2025-31672 DESCRIPTION: Improper Input Validation vulnerability in Apache POI. The issue affects the parsing of OOXML format files like xlsx, docx and pptx...

Security Bulletin: IBM Cloud Pak for Data is vulnerable to Inefficient Regular Expression Complexity due to golang/net package ( CVE-2024-45338 )

Summary Potential vulnerabilities in golang/net package CVE-2024-45338 has been identified that may affect IBM Cloud Pak for Data. Vulnerability Details CVEID:CVE-2024-45338 DESCRIPTION: An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its...

Security Bulletin: IBM Cloud Pak for Data is vulnerable to Inefficient Regular Expression Complexity due to axios ( CWE-1333)

Summary Potential vulnerabilities in axios module has been identified that may affect IBM Cloud Pak for Data. Vulnerability Details IBM X-Force ID: 386108 DESCRIPTION: axios is vulnerable to a denial of service, caused by a regular expression denial of service ReDoS flaw in the format method. By...

Security Bulletin: IBM Cloud Pak for Data is vulnerable to Race Condition due to moby ( CVE-2024-36621 )

Summary Potential vulnerabilities in moby package CVE-2024-36621 has been identified that may affect IBM Cloud Pak for Data. Vulnerability Details CVEID:CVE-2024-36621 DESCRIPTION: moby v25.0.5 is affected by a Race Condition in builder/builder-next/adapters/snapshot/layer.go. The vulnerability...

Security Bulletin: IBM Cloud Pak for Data is vulnerable to UNIX Symbolic Link (Symlink) Following due to runc package ( CVE-2024-45310 )

Summary Potential vulnerabilities in runc package CVE-2024-45310 has been identified that may affect IBM Cloud Pak for Data. Vulnerability Details CVEID:CVE-2024-45310 DESCRIPTION: runc is a CLI tool for spawning and running containers according to the OCI specification. runc 1.1.13 and earlier, ...

Security Bulletin: IBM Cloud Pak for Data is vulnerable to Server-Side Request Forgery (SSRF) due to axios package( CVE-2025-27152 )

Summary Potential vulnerabilities in axios package CVE-2025-27152 has been identified that may affect IBM Cloud Pak for Data. Vulnerability Details CVEID:CVE-2025-27152 DESCRIPTION: axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rathe...

Security Bulletin: IBM Cloud Pak for Data is vulnerable to Asymmetric Resource Consumption (Amplification) due to body-parser package ( CVE-2024-45590 )

Summary Potential vulnerabilities in body-parser package CVE-2024-45590 has been identified that may affect IBM Cloud Pak for Data. Vulnerability Details CVEID:CVE-2024-45590 DESCRIPTION: body-parser is Node.js body parsing middleware. body-parser 1.20.3 is vulnerable to denial of service when ur...

Security Bulletin: IBM Cloud Pak for Data is vulnerable to Inefficient Regular Expression Complexity due to cross-spawn ( CVE-2024-21538 )

Summary Potential vulnerabilities in cross-spawn module CVE-2024-21538 has been identified that may affect IBM Cloud Pak for Data. Vulnerability Details CVEID:CVE-2024-21538 DESCRIPTION: Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular...

Security Bulletin: IBM Cloud Pak for Data is vulnerable to Prototype Pollution due to ejs package ( CVE-2024-33883)

Summary Potential vulnerabilities in ejs package has been identified that may affect IBM Cloud Pak for Data. Vulnerability Details CVEID:CVE-2024-33883 DESCRIPTION: The ejs aka Embedded JavaScript templates package before 3.1.10 for Node.js lacks certain pollution protection. CWE:CWE-693:...

Security Bulletin: IBM Cloud Pak for Data is vulnerable to improper Input Validation due to kube-controller-manager (CVE-2024-0793)

Summary Potential vulnerabilities in kube module CVE-2024-0793 has been identified that may affect IBM Cloud Pak for Data. Vulnerability Details CVEID:CVE-2024-0793 DESCRIPTION: A flaw was found in kube-controller-manager. This issue occurs when the initial application of a HPA config YAML lackin...

Security Bulletin: IBM Cloud Pak for Data is vulnerable to Improper Input Validation due to kube package ( CVE-2024-9042 )

Summary Potential vulnerabilities in kube package CVE-2024-9042 has been identified that may affect IBM Cloud Pak for Data. Vulnerability Details CVEID:CVE-2024-9042 DESCRIPTION: This CVE affects only Windows worker nodes. Your worker node is vulnerable to this issue if it is running one of the...

Security Bulletin: IBM Cloud Pak for Data is vulnerable to Cross-site Scripting (XSS) due to server-static package ( CVE-2024-43800 )

Summary Potential vulnerabilities in server-static package CVE-2024-43800 has been identified that may affect IBM Cloud Pak for Data. Vulnerability Details CVEID:CVE-2024-43800 DESCRIPTION: serve-static serves static files. serve-static passes untrusted user input - even after sanitizing it - to...

Security Bulletin: IBM Cloud Pak for Data is vulnerable to Improper Restriction of Recursive Entity References due to rexml package ( CVE-2024-43398 )

Summary Potential vulnerabilities in rexml package CVE-2024-43398 has been identified that may affect IBM Cloud Pak for Data. Vulnerability Details CVEID:CVE-2024-43398 DESCRIPTION: REXML is an XML toolkit for Ruby. The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has...

Security Bulletin: IBM Cloud Pak for Data is vulnerable to Server-Side Request Forgery (SSRF) due to axios ( CVE-2024-39338 )

Summary Potential vulnerabilities in axios module CVE-2024-39338 has been identified that may affect IBM Cloud Pak for Data. Vulnerability Details CVEID:CVE-2024-39338 DESCRIPTION: axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol...

Security Bulletin: IBM Cloud Pak for Data is vulnerable to authorization bypass due to golang/crypto ( CVE-2024-45337 )

Summary Potential vulnerabilities in golang/crypto module CVE-2024-45337 has been identified that may affect IBM Cloud Pak for Data. Vulnerability Details CVEID:CVE-2024-45337 DESCRIPTION: Applications and libraries which misuse connection.serverAuthenticate via callback field...

Security Bulletin: Multiple security vulnerabilities in Vite affect IBM Robotic Process Automation (CVE-2025-31125, CVE-2025-32395, CVE-2025-31486).

Summary Multiple security vulnerabilities in Vite affect IBM Robotic Process Automation CVE-2025-31125, CVE-2025-32395, CVE-2025-31486. Vite is used by IBM Robotic Process Automation as part of the UI framework. This bulletin identifies the fixes required to address these vulnerabilities...

Security Bulletin: IBM Cloud Pak for Data is vulnerable to Cross-site Scripting (XSS) due to express.js ( CVE-2024-43796 )

Summary Potential vulnerabilities in express.js package CVE-2024-43796 has been identified that may affect IBM Cloud Pak for Data. Vulnerability Details CVEID:CVE-2024-43796 DESCRIPTION: Express.js minimalist web framework for node. In express 4.20.0, passing untrusted user input - even after...

Security Bulletin: IBM Cloud Pak for Data is vulnerable to to Cross-Site Request Forgery (CSRF) due to insecure debugger access in Werkzeug ( CVE-2024-34069)

Summary Potential vulnerabilities in Werkzeug has been identified that may affect IBM Cloud Pak for Data. Refer to details for additional information. Vulnerability Details CVEID:CVE-2024-34069 DESCRIPTION: Werkzeug is a comprehensive WSGI web application library. The debugger in affected version...

Security Bulletin: IBM App Connect Enterprise is vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition due to Node.js module snowflake ( CVE-2025-46328 )

Summary IBM App Connect Enterprise Discovery Connectors is vulnerable to Time-of-check Time-of-use TOCTOU Race Condition due to Node.js module snowflake Vulnerability Details CVEID:CVE-2025-46328 DESCRIPTION: snowflake-connector-nodejs is a NodeJS driver for Snowflake. Versions starting from 1.10...

Security Bulletin: cups vulnerability in BAMOE 8.0.5 images

Summary There was a cups library vulnerability in BAMOE 8.0.5 images, transitively brought in by RHEL base OS image layer. Vulnerability Details CVEID:CVE-2024-47175 DESCRIPTION: OpenPrinting libppd could allow a remote attacker to execute arbitrary command on the system, caused by the failure to...

Security Bulletin: IBM Cloud Pak for Data is vulnerable to improper verification of cryptographic signature due to elliptic ( CVE-2024-48949 )

Summary Potential vulnerabilities in elliptic module CVE-2024-48949 has been identified that may affect IBM Cloud Pak for Data. Vulnerability Details CVEID:CVE-2024-48949 DESCRIPTION: The verify function in lib/elliptic/eddsa/index.js in the Elliptic package before 6.5.6 for Node.js omits...

Security Bulletin: IBM Cloud Pak for Data s vulnerable to Improper Input Validation due to follow-redirects ( CVE-2023-26159 )

Summary Potential vulnerabilities in follow-redirects module has been identified that may affect IBM Cloud Pak for Data. Vulnerability Details CVEID:CVE-2023-26159 DESCRIPTION: Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper...

Security Bulletin: IBM Cloud Pak for Data is vulnerable to Throttling due to inadequate stream handling in http2 package ( CVE-2023-39325 )

Summary Potential vulnerabilities in http2 package CVE-2023-39325 has been identified that may affect IBM Cloud Pak for Data. Vulnerability Details CVEID:CVE-2023-39325 DESCRIPTION: A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server...

Security Bulletin: IBM Event Processing is vulnerable to an Authorization Bypass (CVE-2025-29927)

Summary IBM Event Processing is vulnerable to an Authorization Bypass due to the use of a Next.js component. Since Next.js can be used in the UI layer or API routing, unauthorized users may gain access to protected resources or functionalities, potentially compromising the system's integrity...

Security Bulletin: IBM Edge Data Collector is vulnerable to next-15.1.7.tgz CVE-2025-29927

Summary IBM Edge Data Collector is vulnerable to next-15.1.7.tgz CVE-2025-29927. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2025-29927 DESCRIPTION: Next.js is a React framework for building full-stack web applications. Starting in...

Security Bulletin: LookupCol.c in X.Org X through X11R7.7 and libX11 before 1.7.1 might allow remote attackers to execute arbitrary code, affect watsonx.data

Summary LookupCol.c in X.Org X through X11R7.7 and libX11 before 1.7.1 might allow remote attackers to execute arbitrary code. The libX11 XLookupColor request intended for server-side color lookup contains a flaw allowing a client to send color-name requests with a name longer than the maximum si...

Security Bulletin: Apache commons-dbcp vulnerability affects watsonx.data

Summary Apache commons-dbcp could allow a remote authenticated attacker from within the local network to obtain sensitive information, caused by an error if a BasicDataSource is created with jmxName set. By using JMXBean, an attacker could exploit this vulnerability to expose/export the password...

Security Bulletin: Multiple vulnerabilities in IBM MQ Operator and Queue manager container images

Summary Multiple vulnerabilities were addressed in IBM MQ Operator and Queue manager container images Vulnerability Details CVEID:CVE-2024-12133 DESCRIPTION: A flaw in libtasn1 causes inefficient handling of specific certificate data. When processing a large number of elements in a certificate,...

Security Bulletin: A Security Vulnerability was discovered in the IBM Security Directory Container (CVE-2025-1411)

Summary The IBM Security Directory Container has addressed a security vulnerability in an update Vulnerability Details CVEID:CVE-2025-1411 DESCRIPTION: IBM Security Verify Directory Container could allow a local user to execute commands as root due to execution with unnecessary privileges...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to an out-of-bounds read in Linux kernel's USB Audio driver [CVE-2024-53150]

Summary IBM Watson Speech Services Cartridge is vulnerable to an out-of-bounds read in Linux kernel's USB Audio driver, due to a failure to check bLength of each descriptor at traversing for clock descriptors CVE-2024-53150. Linux kernel's USB Audio driver is used in our speech microservices. Thi...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a stack overflow vulnerability in libexpat library [CVE-2024-8176]

Summary IBM Watson Speech Services Cartridge is vulnerable to a stack overflow vulnerability in libexpat library, due to the way it handles recursive entity expansion in XML documents CVE-2024-8176. The libexpat library is used as part of our speech utilities. This vulnerabilitiy has been...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a sensitive header drop in Golang/net/http [CVE-2024-45336]

Summary IBM Watson Speech Services Cartridge is vulnerable to a sensitive header drop in Golang/net/http, which can occour following a cross-domain redirect CVE-2024-45336. The Golang/net/http package is used as part of our speech utilities. This vulnerabilitiy has been addressed. Please read the...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a sensitive information exposure in Golang crypto/internal/nistec [CVE-2025-22866]

Summary IBM Watson Speech Services Cartridge is vulnerable to a sensitive information exposure in the Golang crypto/internal/nistec package, due to the usage of a variable time instruction in the assembly implementation of an internal function, which may allow a small number of bits of secret...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to certification errors in golang.org/x/crypto/ssh [CVE-2024-45341]

Summary IBM Watson Speech Services Cartridge is vulnerable to certification errors in golang.org/x/crypto/ssh, because of conditions which incorrectly satisfy a URI name constraint that applies to certificate chains. CVE-2024-45341. Golang.org/x/crypto/ssh is used as part of our speech utilities...