Security Bulletin: IBM Data Product Hub is affected by several vulnerabilities

Summary IBM Data Product Hub has dependencies on IBM Semeru and Node.js Axios & Babel runtime modules, which are vulnerable. This bulletin contains information regarding the vulnerabilities and their fixture. Vulnerability Details CVEID:CVE-2025-27789 DESCRIPTION: Babel is a compiler for writing...

Security Bulletin: Security vulnerabilities discovered in IBM Application Gateway (CVE-2023-5455, CVE-2024-37370, CVE-2024-45655)

Summary Security vulnerabilities discovered in the IBM Application Gateway have been addressed. Vulnerability Details CVEID:CVE-2023-5455 DESCRIPTION: FreeIPA is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated user to...

Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server, which is a required product for IBM Tivoli Network Manager IP Edition (CVE-2025-27907)

Summary IBM WebSphere Application Server is a required product for IBM Tivoli Network Manager version 4.2. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. Vulnerability Details Refer to the security bulletins listed ...

Security Bulletin: Multiple security vulnerabilities affecting IBM Knowledge Catalog for IBM Cloud Pak for Data

Summary Multiple security vulnerabilities impacting IBM Knowledge Catalog for IBM Cloud Pak for Data. These vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2023-3635 DESCRIPTION: Okio GzipSource is vulnerable to a denial of service, caused by unhandled exception. By sending a...

Security Bulletin: Multiple security vulnerabilities affecting IBM Knowledge Catalog for IBM Cloud Pak for Data

Summary Multiple security vulnerabilities impacting IBM Knowledge Catalog for IBM Cloud Pak for Data. These vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2023-28155 DESCRIPTION: Node.js Request module is vulnerable to server-side request forgery, caused by a cross-protocol...

Security Bulletin: IBM InfoSphere DataStage is vulnerable due to cleartext storage of sensitive information (CVE-2025-1499)

Summary A vulnerability due to cleartext storage of sensitive information in IBM InfoSphere DataStage was addressed. Vulnerability Details CVEID:CVE-2025-1499 DESCRIPTION: IBM InfoSphere DataStage stores credential information for database authentication in a cleartext parameter file that could b...

Security Bulletin: There are multiple vulnerabilities that can affect IBM Fusion HCI and IBM Fusion HCI for watsonx

Summary Multiple vulnerabilities affecting IBM Fusion HCI and IBM Fusion HCI for watsonx could have resulted in reduced security. These issues have since been resolved. CVE-2023-5115, CVE-2023-5764, CVE-2024-9902, CVE-2024-8775, CVE-2024-11079, CVE-2024-9506, CVE-2024-43799, CVE-2024-6119,...

Security Bulletin: There are multiple vulnerabilities that can affect IBM Fusion

Summary Multiple vulnerabilities affecting IBM Fusion could have resulted in reduced security. These issues have since been resolved. CVE-2024-6783, CVE-2024-9880, CVE-2024-51744, CVE-2024-47764, CVE-2024-9506, CVE-2024-45338, CVE-2025-25193, CVE-2024-21538, CVE-2025-27152, CVE-2024-47535,...

Security Bulletin: IBM Planning Analytics Workspace is affected by vulnerabilities

Summary There is a vulnerability in a Open Source Software OSS component consumed by IBM Planning Analytics Workspace. Additionally, IBM Planning Analytics Workspace is vulnerable to Cross-site scripting, Path Traversal, Session Fixation vulnerabilities. This Security Bulletin relates only to the...

Security Bulletin: IBM App Connect Enterprise is vulnerable to Inefficient Regular Expression Complexity due to Babel ( CVE-2025-27789 )

Summary IBM App Connect Enterprise Discovery Connectors and IBM App Connect Enterprise Runtime are vulnerable to Inefficient Regular Expression Complexity due to Babel. Vulnerability Details CVEID:CVE-2025-27789 DESCRIPTION: Babel is a compiler for writing next generation JavaScript. When using...

Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Monitor (CVE-2025-33104)

Summary IBM WebSphere Application Server is shipped as a component of Business Monitor. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixe...

Security Bulletin: IBM Watson Speech Services Cartridge v4.8.8 is vulnerable to Remote Code Execution in Transformers [CVE-2024-11392, CVE-2024-11393, CVE-2024-11394]

Summary IBM Watson Speech Services Cartridge v4.8.8 is vulnerable to Remote Code Execution in Transformers, due to a lack of proper validation of user-supplied dataCVE-2024-11392, CVE-2024-11393, CVE-2024-11394. This vulnerabilitiy has been addressed. Please read the details for remediation below...

Security Bulletin: IBM Asset Data Dictionary uses netty-common-4.1.115.Final.jar which is vulnerable to CVE-2025-25193.

Summary IBM Asset Data Dictionary uses netty-common-4.1.115.Final.jar which is vulnerable to CVE-2025-25193. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2025-25193 DESCRIPTION: Netty, an asynchronous, event-driven network...

Security Bulletin: IBM Maximo Application Suite uses cryptography-44.0.0-cp39-abi3-manylinux_2_28_x86_64.whl which is vulnerable to CVE-2024-12797.

Summary IBM Maximo Application Suite uses cryptography-44.0.0-cp39-abi3-manylinux228x8664.whl which is vulnerable to CVE-2024-12797. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2024-12797 DESCRIPTION: Issue summary: Clients using...

Security Bulletin: IBM Maximo Application Suite uses axios-1.7.7.tgz, Kubectl-1.22.4 and Websphere Liberty - 24.0.0.11 which is vulnerable to CVE-2025-27152, CVE-2024-47535, CVE-2024-24791, CVE-2024-45336, CVE-2024.

Summary IBM Maximo Application Suite uses axios-1.7.7.tgz, Kubectl-1.22.4 and Websphere Liberty - 24.0.0.11 which is vulnerable to CVE-2025-27152, CVE-2024-47535, CVE-2024-24791, CVE-2024-45336, CVE-2024. . This bulletin contains information regarding the vulnerability and its fixture...

Security Bulletin: IBM Maximo Application Suite - IoT Component uses commons-codec-1.11.jar, okio-jvm-3.0.0.jar, jetty-http-10.0.24.jar and jetty-server-10.0.24.jar which is vulnerable to CVE-2020-8908, CVE-2023-2976, CVE-2024-6763, CVE-2023-3635

Summary IBM Maximo Application Suite - IoT Component uses commons-codec-1.11.jar, okio-jvm-3.0.0.jar, jetty-http-10.0.24.jar and jetty-server-10.0.24.jar which is vulnerable to CVE-2020-8908, CVE-2023-2976, CVE-2024-6763, CVE-2023-3635. This bulletin contains information regarding the vulnerabili...

Security Bulletin: IBM Security SOAR is using a component with a known vulnerability (CVE-2025-27789)

Summary IBM Security SOAR uses an older version of the babel runtime javascript module that may be identified and exploited. Updates for supported versions have been released which address the issue. It is recommended to upgrade to version 51.0.6.0 Vulnerability Details CVEID:CVE-2025-27789...

Security Bulletin: IBM Security SOAR is using a component with a known vulnerability [CVE-2024-53382]

Summary IBM Security SOAR uses an older version of prismjs that may be identified and exploited. Updates for supported versions have been released which address the issue. It is recommended customers upgrade to the latest applicable fix pack 51.0.6.0 . Vulnerability Details CVEID:CVE-2024-53382...

Security Bulletin: IBM InfoSphere Information Server is affected by a vulnerability in the parquet-avro module of Apache Parquet (CVE-2025-30065)

Summary A vulnerability in the parquet-avro module of Apache Parquet that is used by IBM InfoSphere Information Server was addressed. Vulnerability Details CVEID:CVE-2025-30065 DESCRIPTION: Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors ...

Security Bulletin: IBM Maximo Application Suite Predict Component : Flask is a web server gateway interface (WSGI) web application framework. In Flask 3.1.0, the way fallback key configuration was handled resulted in the last fallback key being used.

Summary Security Bulletin: IBM Maximo Application Suite Predict Component Component uses Flask is a web server gateway interface WSGI web application framework. In Flask 3.1.0.This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2025-4727...

Security Bulletin: The IBM® Engineering Lifecycle Engineering products using IBM WebSphere Application Server is affected by a cross-site scripting vulnerability (CVE-2025-33104)

Summary IBM WebSphere Application Server is affected by a cross-site scripting vulnerability. Following IBM® Engineering Lifecycle Engineering product is vulnerable to this attack, it has been addressed in this bulletin: IBM Engineering Test Management Vulnerability Details Refer to the security...

Security Bulletin: Astronomer with IBM is vulnerable to unauthenticated access due to the Grafana package (CVE-2021-39226)

Summary Grafana is used by Astronomer with IBM as part of data visualization. Vulnerability Details CVEID:CVE-2021-39226 DESCRIPTION: Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest...

Security Bulletin: Multiple vulnerabilities in eclipse jetty may affect IBM Business Automation Workflow Case Configuration tool

Summary IBM Business Automation Workflow Case configuration tool packages vulnerable versions of the eclipse jetty open source library. Vulnerability Details CVEID:CVE-2023-26049 DESCRIPTION: Eclipse Jetty could allow a remote authenticated attacker to obtain sensitive information, caused by a fl...

Security Bulletin: Multiple vulnerabilities in IBM Tivoli Network Manager IP Edition (ITNM).

Summary Multiple vulnerabilities were addressed in ITNM version 4.2 Fix Pack 22 4.2.0.22 Vulnerability Details CVEID:CVE-2025-23184 DESCRIPTION: A potential denial of service vulnerability is present in versions of Apache CXF before 3.5.10, 3.6.5 and 4.0.6. In some edge cases, the...

Security Bulletin: IBM QRadar SIEM protocols are vulnerable to information exposure due to Apache Commons Net FTP client behavior (CVE-2021-37533)

Summary Apache Commons Net could allow an attacker to cause information exposure due to improper input validation in the FTP client component. Vulnerability Details CVEID:CVE-2021-37533 DESCRIPTION: Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default....

Security Bulletin: IBM Observability with Instana for Synthetic PoP is affected by multiple critical security vulnerabilities

Summary Multiple critical vulnerabilities were addressed in IBM Observability with Instana for Synthetic PoP build 1.0.296 CVE-2025-32911, CVE-2025-24264 Vulnerability Details CVEID:CVE-2025-32911 DESCRIPTION: A use-after-free type vulnerability was found in libsoup, in the...

Security Bulletin: IBM Maximo Application Suite - Monitor Component is vulnerable to http-proxy-middleware-2.0.7.tgz CVE-2025-32997

Summary IBM Maximo Application Suite - Monitor Component is vulnerable to http-proxy-middleware-2.0.7.tgz CVE-2025-32997. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2025-32997 DESCRIPTION: In http-proxy-middleware before 2.0.9 and 3....

Security Bulletin: IBM Maximo Application Suite - Monitor Component is vulnerable to WebSphere Liberty which is vulnerable to a denial of service due to Netty CVE-2024-47535

Summary IBM Maximo Application Suite - Monitor Component is vulnerable to WebSphere Liberty which is vulnerable to a denial of service due to Netty CVE-2024-47535. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2024-47535 DESCRIPTION:...

Security Bulletin: IBM Maximo Application Suite - Monitor Component is vulnerable to cxf-core-3.5.5.jar, cxf-core-4.0.5.jar CVE-2025-23184

Summary IBM Maximo Application Suite - Monitor Component is vulnerable to cxf-core-3.5.5.jar, cxf-core-4.0.5.jar CVE-2025-23184. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2025-23184 DESCRIPTION: A potential denial of service...

Security Bulletin: IBM Maximo Application Suite - Monitor Component is vulnerable to openssl-0.10.70.crate CVE-2025-3416

Summary IBM Maximo Application Suite - Monitor Component is vulnerable to openssl-0.10.70.crate CVE-2025-3416. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2025-3416 DESCRIPTION: A flaw was found in OpenSSL's handling of the properties...

Security Bulletin: IBM Maximo Application Suite - Monitor Component is vulnerable to jinja2-3.1.4-py3-none-any.whl, jinja2-3.1.5-py3-none-any.whl CVE-2025-27516

Summary IBM Maximo Application Suite - Monitor Component is vulnerable to jinja2-3.1.4-py3-none-any.whl, jinja2-3.1.5-py3-none-any.whl CVE-2025-27516. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2025-27516 DESCRIPTION: Jinja is an...

Security Bulletin: IBM Maximo Application Suite - Monitor Component is vulnerable to transformers-4.46.3-py3-none-any.whl CVE-2025-1194

Summary IBM Maximo Application Suite - Monitor Component is vulnerable to transformers-4.46.3-py3-none-any.whl CVE-2025-1194. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2025-1194 DESCRIPTION: A Regular Expression Denial of Service...

Security Bulletin: IBM Maximo Application Suite - Monitor Component is vulnerable to openssl-0.10.64.crate CVE-2025-24898

Summary IBM Maximo Application Suite - Monitor Component is vulnerable to openssl-0.10.64.crate CVE-2025-24898. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2025-24898 DESCRIPTION: rust-openssl is a set of OpenSSL bindings for the Rust...

Security Bulletin: IBM Maximo Application Suite - Monitor Component is vulnerable to axios-1.3.4.min.js, axios-1.7.7.tgz CVE-2024-57965

Summary IBM Maximo Application Suite - Monitor Component is vulnerable to axios-1.3.4.min.js, axios-1.7.7.tgz CVE-2024-57965. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2024-57965 DESCRIPTION: In axios before 1.7.8,...

Security Bulletin: IBM Maximo Application Suite - Monitor Component is vulnerable to to a denial of service due to Netty in IBM WebSphere Application Server Liberty CVE-2025-25193

Summary IBM Maximo Application Suite - Monitor Component is vulnerable to to a denial of service due to Netty in IBM WebSphere Application Server Liberty CVE-2025-25193. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2025-25193...

Security Bulletin: IBM Watson Discovery Cartridge is affected by vulnerability in tomcat-embed-core-10.1.33.jar

Summary IBM Watson Discovery Cartridge contains a vulnerable version of tomcat-embed-core-10.1.33.jar Vulnerability Details CVEID:CVE-2025-24813 DESCRIPTION: Path Equivalence: 'file.Name' Internal Dot leading to Remote Code Execution and/or Information disclosure and/or malicious content added to...

Security Bulletin: IBM SPSS Analytic Server is affected by multiple vulnerabilities in IBM WebSphere Application Server Liberty (CVE-2025-25193, CVE-2024-47535, CVE-2025-23184)

Summary IBM SPSS Analytic Server is affected by multiple vulnerabilities in IBM WebSphere Application Server Liberty CVE-2025-25193, CVE-2024-47535, CVE-2025-23184. This has been addressed in the remediation section. Vulnerability Details CVEID:CVE-2025-23184 DESCRIPTION: A potential denial of...

Security Bulletin: IBM Tivoli Monitoring is affected by an insufficient validation of input data

Summary IBM Tivoli Monitoring has addressed a vulnerability with validation of input data. CVE-2025-3357 Vulnerability Details CVEID:CVE-2025-3357 DESCRIPTION: IBM Tivoli Monitoring could allow a remote attacker to execute arbitrary code due to improper validation of an index value of a dynamical...

Security Bulletin: SPSS Collaboration and Deployment Services is affected by vulnerability in Apache Commons BCEL

Summary SPSS Collaboration and Deployment Services is affected by vulnerability in Apache Commons BCEL. This has been addressed in the remediation section. Vulnerability Details CVEID:CVE-2022-42920 DESCRIPTION: Apache Commons BCEL could allow a remote attacker to bypass security restrictions,...

Security Bulletin: DataStage on Cloud Pak for Data is vulnerable to security restriction bypass due to the Apache Maven package (CVE-2021-26291)

Summary Apache Maven is used by DataStage on Cloud Pak for Data as part of build management. Vulnerability Details CVEID:CVE-2021-26291 DESCRIPTION: Apache Maven could allow a remote attacker to bypass security restrictions, caused by the use of http non-SSL repository references by default. By...

Security Bulletin: IBM Maximo Application Suite - Monitor Component is vulnerable to lightgbm-4.5.0-py3-none-manylinux_2_28_x86_64.whl CVE-2024-43598

Summary IBM Maximo Application Suite - Monitor Component is vulnerable to lightgbm-4.5.0-py3-none-manylinux228x8664.whl CVE-2024-43598. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2024-43598 DESCRIPTION: Microsoft LightGBM could allow...

Security Bulletin: Multiple vulnerabilities in IBM Rapid Infrastructure Automation

Summary Multiple vulnerabilities were addressed in IBM Rapid Infrastructure Automation v1.1.5.3 Vulnerability Details CVEID:CVE-2024-12254 DESCRIPTION: Starting in Python 3.12.0, the asyncio.SelectorSocketTransport.writelines method would not "pause" writing and signal to the Protocol to drain th...

Security Bulletin: Multiple security vulnerabilities are addressed with IBM Process Mining Interim Fix for May 2025

Summary In addition to many updates of operating system level packages, the following security vulnerabilities are addressed with IBM Process Mining 2.0.1 IF001 Vulnerability Details CVEID:CVE-2025-31651 DESCRIPTION: Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in...

Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Security Guardium Key Lifecycle Manager (SKLM/GKLM) (CVE-2025-33104)

Summary WebSphere Application Server is shipped as a component of IBM Security Guardium Key Lifecycle Manager SKLM/GKLM. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin. Vulnerability Details Refer to the security bulleti...

Security Bulletin: IBM Sterling Secure Proxy is vulnerable to CVE-2024-38341.

Summary IBM Sterling Secure Proxy is vulnerable due to the use of a weak crypographic algorithm during hashing. Vulnerability Details CVEID:CVE-2024-38341 DESCRIPTION: IBM Sterling Secure Proxy uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly...

Security Bulletin: IBM Sterling Secure Proxy is vulnerable to CVE-2024-51453.

Summary IBM Sterling Secure Proxy is vulnerable to Path Traversal. Vulnerability Details CVEID:CVE-2024-51453 DESCRIPTION: IBM Sterling Secure Proxy could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot"...

Security Bulletin: FreeType Remote Code Execution Vulnerability found in IBM Netezza Performance Server

Summary FreeType is used in IBM Netezza Platform Server. IBM Netezza Platform Server has addressed the applicable CVE. Vulnerability Details CVEID:CVE-2025-27363 DESCRIPTION: An out of bounds write exists in FreeType versions 2.13.0 and below newer versions of FreeType are not vulnerable when...

Security Bulletin: Multiple vulnerabilities have been identified with the DS8900F and DS8A00 Hardware Management Console (HMC)

Summary DS8900F and DS8A00 updates have been released to address following vulnerabilities. Review the Vulnerability Details section below for additional information. CVE-2023-40547 CVSS Base Score:8.3, CVE-2024-5564 CVSS Base Score:8.1, CVE-2022-48624 CVSS Base Score:7.8, CVE-2022-48624 CVSS Bas...

Security Bulletin: IBM WebSphere Application Server, which is bundled with IBM Enterprise Application Runtimes, is affected by a cross-site scripting vulnerability (CVE-2025-33104)

Summary IBM WebSphere Application Server, which is bundled with IBM Enterprise Application Runtimes, is affected by a cross-site scripting vulnerability. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions Affected Products...

Security Bulletin: IBM WebSphere Application Server, which is bundled with IBM Cloud Pak for Applications, is affected by a cross-site scripting vulnerability (CVE-2025-33104)

Summary IBM WebSphere Application Server, which is bundled with IBM Cloud Pak for Applications, is affected by a cross-site scripting vulnerability. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions Affected Products and...