CVE-2025-14808

| EUVD-2025-209016 LOW
2026-03-25 ibm
3.1
CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
EUVD ID Assigned
Mar 25, 2026 - 20:32 euvd
EUVD-2025-209016
Analysis Generated
Mar 25, 2026 - 20:32 vuln.today
Patch Released
Mar 25, 2026 - 20:32 nvd
Patch available
CVE Published
Mar 25, 2026 - 20:09 nvd
LOW 3.1

Tags

IBM Information Disclosure

Description

IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 could allow an attacker to obtain sensitive information from the query string of an HTTP GET method to process a request which could be obtained using man in the middle techniques.

Analysis

IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 contain an information disclosure vulnerability where sensitive data is exposed through HTTP GET query strings, allowing attackers with low privileges and network access to obtain confidential information via man-in-the-middle techniques. The CVSS score of 3.1 reflects low severity due to high attack complexity and limited privileges required, though the vulnerability has a patch available from IBM and represents a classic cleartext credential exposure risk in enterprise data integration platforms.

Technical Context

The vulnerability stems from CWE-598 (Use of GET Request with Sensitive Query Strings), a protocol-level weakness where sensitive parameters are transmitted in URL query strings instead of POST request bodies or other secure mechanisms. HTTP GET requests with query parameters are logged in server logs, browser history, proxy caches, and are visible in cleartext during network transmission. IBM InfoSphere Information Server (cpe:2.3:a:ibm:infosphere_information_server) is an enterprise data integration and governance platform that processes sensitive metadata and credentials. The affected versions (11.7.0.0 through 11.7.1.6) improperly handle authentication tokens or sensitive configuration data as GET parameters, making them vulnerable to interception and exposure. This is a classic application-level protocol misuse rather than a cryptographic flaw.

Affected Products

IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 are affected as confirmed by CPE cpe:2.3:a:ibm:infosphere_information_server. This encompasses all minor and patch versions within the 11.7.x series up to and including 11.7.1.6. Organizations running Information Server 11.7 must verify their specific patch level against the affected range. Remediation guidance and patches are available from IBM's support portal at https://www.ibm.com/support/pages/node/7266695.

Remediation

Upgrade IBM InfoSphere Information Server to version 11.7.1.7 or later, with patch availability confirmed via IBM support pages at https://www.ibm.com/support/pages/node/7266695. For organizations unable to immediately patch, implement the following compensating controls: enforce HTTPS with TLS 1.2 or higher for all Information Server communications, ensure proper HTTP Strict-Transport-Security (HSTS) headers are configured, restrict network access to Information Server instances to trusted internal networks only, monitor HTTP access logs for GET requests containing suspicious query parameters, and disable or restrict HTTP access in favor of HTTPS-only operation at the reverse proxy or firewall level. Additionally, audit any credentials or sensitive configuration data that may have been exposed through logs and rotate them proactively.

Priority Score

16
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +16
POC: 0

Share

CVE-2025-14808 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy