EUVD-2025-209022
GHSA-pqx7-wmpc-ggm9
CVSS VectorNVD
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionNVD
IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable due to Insecure Direct Object Reference (IDOR).
AnalysisAI
IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 contain an Insecure Direct Object Reference (IDOR) vulnerability that allows authenticated attackers with low privileges to access sensitive information they should not be authorized to view. An attacker on the same network segment with valid user credentials can bypass authorization controls to read confidential data, though they cannot modify or delete information. A vendor patch is available, and this vulnerability should be prioritized for organizations running affected versions as it enables privilege escalation and data exfiltration within trusted network environments.
Technical ContextAI
The vulnerability stems from CWE-639 (Authorization Bypass Through User-Controlled Key), a fundamental access control flaw where the application fails to properly validate whether an authenticated user is authorized to access specific resources. In InfoSphere Information Server, this manifests as improper object reference validation—likely in API endpoints or data access layers where resource identifiers (such as data asset IDs, project IDs, or metadata object references) are passed without sufficient authorization checks. The affected CPE range (cpe:2.3:a:ibm:infosphere_information_server:*:*:*:*:*:*:*:*) spans the entire 11.7.x branch, indicating the flaw exists in the core data server or metadata repository access mechanisms. InfoSphere Information Server is a complex ETL and data governance platform where unauthorized metadata or configuration access could expose entire data lineage, transformation logic, and business intelligence structures.
RemediationAI
Upgrade IBM InfoSphere Information Server to version 11.7.1.7 or later immediately using the patch provided by IBM (link: https://www.ibm.com/support/pages/node/7266723). Before patching is feasible, implement compensating controls: enforce role-based access control (RBAC) at the application level to restrict which authenticated users can access which InfoSphere resources, disable or restrict API access for non-administrative users if not operationally necessary, and segment the InfoSphere network to limit access only to trusted administrative networks and required client systems. Monitor InfoSphere access logs for unusual enumeration patterns or cross-user resource access requests that may indicate IDOR exploitation attempts. If the environment cannot be patched within 30 days, consider temporarily disabling InfoSphere API access outside of scheduled batch windows.
More from same product – last 7 days
Remote code execution in IBM Langflow OSS versions 1.0.0 through 1.9.1 lets unauthenticated network attackers run arbitr
Remote code execution and authentication bypass are possible in IBM Aspera High-Speed Transfer Server and High-Speed Tra
Authentication bypass in IBM Aspera High-Speed Transfer Server for Cloud Pak for Integration (CP4I) versions 1.5.1 throu
Hard-coded credentials in IBM Controller (versions 11.0.1, 11.1.0, 11.1.1, and 11.1.2) give attackers a static, embedded
Arbitrary code execution in IBM Aspera High-Speed Transfer Server and Endpoint (versions 3.7.4 through 4.4.7 Fix Pack 1)
Share
External POC / Exploit Code
Leaving vuln.today