EUVD-2025-209040

| CVE-2025-36187 MEDIUM
2026-03-25 ibm
4.4
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Mar 25, 2026 - 21:32 vuln.today
EUVD ID Assigned
Mar 25, 2026 - 21:32 euvd
EUVD-2025-209040
Patch Released
Mar 25, 2026 - 21:32 nvd
Patch available
CVE Published
Mar 25, 2026 - 21:26 nvd
MEDIUM 4.4

Tags

IBM Information Disclosure

Description

IBM Knowledge Catalog Standard Cartridge 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.1, 5.1.1, 5,1.2, 5.1.3, 5.2.0, 5.2.1 stores potentially sensitive information in log files that could be read by a local privileged user.

Analysis

IBM Knowledge Catalog Standard Cartridge versions 5.0.0 through 5.2.1 improperly store sensitive information in log files that can be read by local privileged users. An attacker with high privileges on the affected system can access these logs to disclose confidential data without requiring user interaction. While no active exploitation in the wild or public proof-of-concept has been reported, a vendor patch is available and should be applied promptly.

Technical Context

This vulnerability is classified as CWE-532 (Insertion of Sensitive Information into Log File), a well-established information disclosure weakness in which applications fail to properly sanitize or protect sensitive data before writing to log files. IBM Knowledge Catalog Standard Cartridge, an enterprise data governance and metadata management tool, writes potentially sensitive information (such as credentials, tokens, or personal identifiable information) to locally accessible log files without appropriate redaction or encryption. The affected products are identified via CPE cpe:2.3:a:ibm:knowledge_catalog_standard_cartridge with no version constraints in the CPE string, confirming the vulnerability spans multiple minor and patch versions from 5.0.0 through 5.2.1. Local privileged users with file system access can bypass normal application access controls to read these unprotected logs.

Affected Products

IBM Knowledge Catalog Standard Cartridge versions 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.1, 5.1.1, 5.1.2, 5.1.3, 5.2.0, and 5.2.1 are affected, as confirmed by CPE cpe:2.3:a:ibm:knowledge_catalog_standard_cartridge. All versions from the 5.x line up to and including 5.2.1 contain the vulnerable log file handling behavior. A security patch is available from IBM; consult the vendor advisory at https://www.ibm.com/support/pages/node/7267542 for patched version availability and upgrade instructions.

Remediation

Upgrade IBM Knowledge Catalog Standard Cartridge to the patched version specified in the vendor advisory at https://www.ibm.com/support/pages/node/7267542. As an immediate interim control, restrict file system access to log directories to only the application service account and system administrators with legitimate operational need; prevent unprivileged users from reading application logs via file permissions (chmod 640 or more restrictive on Unix/Linux systems, or equivalent ACLs on Windows). Additionally, implement log redaction or masking rules to prevent sensitive data (credentials, API keys, PII) from being written to logs in the first place, and consider centralizing logs to a protected logging infrastructure with access controls. Monitor log file access patterns to detect unauthorized reads.

Priority Score

22
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +22
POC: 0

Share

EUVD-2025-209040 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy