EUVD-2025-209022
GHSA-pqx7-wmpc-ggm9
CVSS Vector
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4Tags
Description
IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable due to Insecure Direct Object Reference (IDOR).
Analysis
IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 contain an Insecure Direct Object Reference (IDOR) vulnerability that allows authenticated attackers with low privileges to access sensitive information they should not be authorized to view. An attacker on the same network segment with valid user credentials can bypass authorization controls to read confidential data, though they cannot modify or delete information. A vendor patch is available, and this vulnerability should be prioritized for organizations running affected versions as it enables privilege escalation and data exfiltration within trusted network environments.
Technical Context
The vulnerability stems from CWE-639 (Authorization Bypass Through User-Controlled Key), a fundamental access control flaw where the application fails to properly validate whether an authenticated user is authorized to access specific resources. In InfoSphere Information Server, this manifests as improper object reference validation—likely in API endpoints or data access layers where resource identifiers (such as data asset IDs, project IDs, or metadata object references) are passed without sufficient authorization checks. The affected CPE range (cpe:2.3:a:ibm:infosphere_information_server:*:*:*:*:*:*:*:*) spans the entire 11.7.x branch, indicating the flaw exists in the core data server or metadata repository access mechanisms. InfoSphere Information Server is a complex ETL and data governance platform where unauthorized metadata or configuration access could expose entire data lineage, transformation logic, and business intelligence structures.
Affected Products
IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 are vulnerable to this IDOR flaw (confirmed via CPE cpe:2.0:a:ibm:infosphere_information_server). All minor versions in the 11.7 release line up to and including patch level 11.7.1.6 are impacted. Version 11.7.1.7 and later are expected to contain the fix. Organizations using InfoSphere Information Server for data integration, metadata management, or enterprise data governance should verify their installed version and patch level. The vendor security advisory is available at https://www.ibm.com/support/pages/node/7266723.
Remediation
Upgrade IBM InfoSphere Information Server to version 11.7.1.7 or later immediately using the patch provided by IBM (link: https://www.ibm.com/support/pages/node/7266723). Before patching is feasible, implement compensating controls: enforce role-based access control (RBAC) at the application level to restrict which authenticated users can access which InfoSphere resources, disable or restrict API access for non-administrative users if not operationally necessary, and segment the InfoSphere network to limit access only to trusted administrative networks and required client systems. Monitor InfoSphere access logs for unusual enumeration patterns or cross-user resource access requests that may indicate IDOR exploitation attempts. If the environment cannot be patched within 30 days, consider temporarily disabling InfoSphere API access outside of scheduled batch windows.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today