IBM

Db2 versions up to 12.1.3 contains a vulnerability that allows attackers to an authenticated user to obtain sensitive information under specific HADR config (CVSS 5.3).

Db2 versions up to 12.1.3 is affected by improper restriction of xml external entity reference (CVSS 7.1).

Db2 contains a vulnerability that allows attackers to an authenticated user to cause a denial of service due to improper neutralizatio (CVSS 6.5).

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 through 11.5.9 and 12.1.0 through 12.1.3 could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in data query logic

IBM webMethods Integration (on prem) - Integration Server 10.15 through IS_10.15_Core_Fix2411.1 to IS_11.1_Core_Fix8 IBM webMethods Integration could disclose sensitive user information in server responses. [CVSS 6.5 MEDIUM]

IBM App Connect Enterprise Certified Container versions up to 12.19.0 is affected by untrusted search path (CVSS 5.1).

IBM Aspera Console 3.4.0 through 3.4.8 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or delete information in the back-end database. [CVSS 8.6 HIGH]

Concert versions up to 2.1.0 contains a vulnerability that allows attackers to conduct various attacks against the vulnerable system, including cross-site scri (CVSS 6.5).

IBM Concert 1.0.0 through 2.1.0 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. [CVSS 6.3 MEDIUM]

Log Analysis versions 1.3.5.0 versions up to 1.3.8.3 is affected by cross-site request forgery (csrf) (CVSS 4.3).

Jazz Reporting Service versions up to 7.0.3 contains a vulnerability that allows attackers to an authenticated user on the network to affect the system's performance using co (CVSS 3.5).

Jazz Reporting Service versions up to 7.0.3 contains a vulnerability that allows attackers to an authenticated user on the host network to obtain sensitive information about (CVSS 3.5).

Jazz Reporting Service versions up to 7.0.3 is affected by allocation of resources without limits or throttling (CVSS 3.5).

IBM Common Cryptographic Architecture (CCA) 7.5.52 and 8.4.82 allows unauthenticated users to execute certain cryptographic operations that should require elevated privileges.

IBM Db2 Big SQL on Cloud Pak for Data versions 7.6 (on CP4D 4.8), 7.7 (on CP4D 5.0), and 7.8 (on CP4D 5.1) do not properly limit the allocation of system resources. An authenticated user with internal knowledge of the environment could exploit this weakness to cause a denial of service. [CVSS 5.3 MEDIUM]

IBM Cloud Pak System does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. [CVSS 5.3 MEDIUM]

IBM Cloud Pak System is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. [CVSS 5.3 MEDIUM]

IBM Cloud Pak System displays sensitive information in user messages that could aid in further attacks against the system. [CVSS 5.3 MEDIUM]

Cloud Pak For Business Automation versions up to 24.0.0 contains a vulnerability that allows attackers to an authenticated user to cause a denial of service or corrupt existing data due (CVSS 5.4).

Engineering Lifecycle Management versions up to 7.0.3 is affected by cross-site scripting (xss) (CVSS 5.4).

IBM Concert 1.0.0 through 2.1.0 stores potentially sensitive information in log files that could be read by a local user. [CVSS 3.3 LOW]

Cloud Pak For Business Automation versions up to 24.0.0 is affected by cross-site scripting (xss) (CVSS 6.4).

Concert versions up to 2.1.0 contains a vulnerability that allows attackers to decrypt highly sensitive information (CVSS 5.9).

Powervm Hypervisor versions up to fw950.00 contains a vulnerability that allows attackers to a local user with administration privileges to obtain sensitive information from (CVSS 6.0).

IBM PowerVM Hypervisor FW1110.00 through FW1110.03, FW1060.00 through FW1060.51, and FW950.00 through FW950.F0 may expose a limited amount of data to a peer partition in specific shared processor configurations during certain operations. [CVSS 2.8 LOW]

IBM Business Automation Workflow containers V25.0.0 through V25.0.0-IF007, V24.0.1 - V24.0.1-IF007, V24.0.0 - V24.0.0-IF007 and IBM Business Automation Workflow traditional V25.0.0, V24.0.1, V24.0.0 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. [CVSS 7.1 HIGH]

IBM Jazz Foundation 7.0.3 through 7.0.3 iFix019 and 7.1.0 through 7.1.0 iFix005 is vulnerable to access control violations that allows the users to view or access/perform actions beyond their expected capability. [CVSS 4.3 MEDIUM]

IBM WebSphere Application Server Liberty 17.0.0.3 through 26.0.0.1 could allow a privileged user to upload a zip archive containing path traversal sequences resulting in an overwrite of files leading to arbitrary code execution. [CVSS 7.6 HIGH]

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query with XML columns. [CVSS 6.5 MEDIUM]

Db2 contains a vulnerability that allows attackers to an authenticated user to cause a denial of service due to improper neutralizatio (CVSS 5.3).

Db2 contains a vulnerability that allows attackers to cause a denial of service due to insufficient validation of special elements in (CVSS 6.5).

Db2 contains a vulnerability that allows attackers to cause a denial of service due to improper neutralization of special elements in (CVSS 6.5).

Db2 contains a vulnerability that allows attackers to a local user to cause a denial of service due to improper neutralization of spec (CVSS 6.5).

IBM® Db2® is vulnerable to a denial of service with a specially crafted query that uses ALTER TABLE operations. [CVSS 6.5 MEDIUM]

IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.5.0 - 11.5.9 could allow an authenticated user to cause a denial of service when given specially crafted query. [CVSS 6.5 MEDIUM]

Db2 contains a vulnerability that allows attackers to a local user with filesystem access to escalate their privileges due to the use (CVSS 8.4).

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow a user to cause a denial of service by executing a query that invokes the JSON_Object scalar function, which may trigger an unhandled exception leading to abnormal server termination. [CVSS 6.5 MEDIUM]

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 under specific configuration of cataloged remote storage aliases could allow an authenticated user to execute unauthorized commands due to an authorization bypass vulnerability using a user-controlled key. [CVSS 6.8 MEDIUM]

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow a local user to cause a denial of service due to improper neutralization of special elements in data query logic. [CVSS 6.2 MEDIUM]

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 could allow an instance owner to execute malicious code that escalate their privileges to root due to execution of unnecessary privileges operated at a higher than minimum level. [CVSS 7.2 HIGH]

IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow a local user to cause a denial of service when copying large table containing XML data due to improper allocation of system resources. [CVSS 6.2 MEDIUM]

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow an authenticated user to cause a denial of service due to improper allocation of resources. [CVSS 6.5 MEDIUM]

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 is vulnerable to a denial of service as a trap may occur when selecting from certain types of tables. [CVSS 6.5 MEDIUM]

Db2 contains a vulnerability that allows attackers to an authenticated user to cause a denial of service due to excessive use of a glo (CVSS 6.5).

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow an authenticated user to cause a denial of service using a specially crafted SQL statement including XML that performs uncontrolled recursion. [CVSS 6.5 MEDIUM]

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 is vulnerable to a denial of service as the server may crash when an authenticated user creates a specially crafted query. [CVSS 6.5 MEDIUM]

IBM ApplinX 11.1 could disclose sensitive information about server architecture that could aid in further attacks against the system. [CVSS 5.3 MEDIUM]

Applinx versions up to 11.1.0 is affected by improper verification of cryptographic signature (CVSS 7.3).

IBM ApplinX 11.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. [CVSS 3.5 LOW]

Applinx versions up to 11.1.0 contains a vulnerability that allows attackers to an authenticated user to perform unauthorized administrative actions on the serv (CVSS 3.1).

IBM ApplinX 11.1 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. [CVSS 5.4 MEDIUM]

IBM ApplinX 11.1 is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. [CVSS 6.4 MEDIUM]

IBM Application Gateway 23.10 through 25.09 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. [CVSS 5.4 MEDIUM]

IBM Application Gateway 23.10 through 25.09 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. [CVSS 5.4 MEDIUM]

Sterling Connect\ versions up to express_adapter_for_sterling_b2b_integrator is affected by session fixation (CVSS 6.3).

Sterling Connect\ versions up to express_adapter_for_sterling_b2b_integrator is affected by cross-site scripting (xss) (CVSS 5.4).

Sterling Connect\ versions up to express_adapter_for_sterling_b2b_integrator is affected by cross-site scripting (xss) (CVSS 6.1).

Sterling Connect\ versions up to express_adapter_for_sterling_b2b_integrator is affected by insufficient session expiration (CVSS 6.3).

Sterling Connect\ versions up to express_adapter_for_sterling_b2b_integrator is affected by insufficient session expiration (CVSS 6.3).

Business Automation Workflow versions up to 24.0.0 is affected by execution with unnecessary privileges (CVSS 4.7).

Business Automation Workflow versions up to 24.0.0 is affected by insertion of sensitive information into externally-accessible file (CVSS 5.5).

Concert versions up to 2.1.0 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

Concert versions up to 2.1.0 contains a vulnerability that allows attackers to a remote attacker to obtain sensitive information from allocated memory due to i (CVSS 5.9).

Concert versions up to 2.1.0 contains a vulnerability that allows attackers to a remote attacker to obtain sensitive information from allocated memory due to i (CVSS 5.9).

Direct for UNIX Container 6.3.0.0 versions up to 6.3.0.6 is affected by use of hard-coded credentials (CVSS 8.4).

Aspera Console versions up to 3.4.7 is affected by insertion of sensitive information into log file (CVSS 4.9).

IBM Licensing Operator incorrectly assigns privileges to security critical files which could allow a local root escalation inside a container running the IBM Licensing Operator image. [CVSS 8.4 HIGH]

In the Linux kernel, the following vulnerability has been resolved: mm/page_alloc: change all pageblocks migrate type on coalescing When a page is freed it coalesces with a buddy into a higher order page while possible.

IBM watsonx.data 2.2 through 2.2.1 could allow an authenticated user to cause a denial of service through ingestion pods due to improper allocation of resources without limits.

IBM Storage Defender - Resiliency Service 2.0.0 through 2.0.18 could disclose sensitive user credentials in log files.

A remote code execution vulnerability (CVSS 2.7) that allows a privileged user. Remediation should follow standard vulnerability management procedures.

IBM Controller 11.1.0 through 11.1.1 and IBM Cognos Controller 11.0.0 through 11.0.1 FP6 stores unencrypted sensitive information in environmental variables files which can be obtained by an authenticated user.

IBM Controller 11.1.0 through 11.1.1 and IBM Cognos Controller 11.0.0 through 11.0.1 FP6 could allow an authenticated user to cause a denial of service due to improper validation of a specified quantity size input.

IBM Controller 11.1.0 through 11.1.1 and IBM Cognos Controller 11.0.0 through 11.0.1 FP6 is vulnerable to creation of temporary files without atomic operations which may expose sensitive information to an authenticated user due to race condition attacks.

IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.

IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 25.0.0.12 are affected by cross-site scripting due to improper validation of user-supplied input. An attacker could exploit this vulnerability by using a specially crafted URL to redirect the user to a malicious site.

CVE-2024-45675 is a security vulnerability (CVSS 8.4) that allows a local user. High severity vulnerability requiring prompt remediation.

IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.0.0.0 through 6.1.2.7 and 6.2.0.0 through 6.2.0.5 and 6.2.1.1 could disclose sensitive information due to a missing or insecure SameSite. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

IBM Concert 1.0.0 through 2.0.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.0.0.0 through 6.1.2.7 and 6.2.0.0 through 6.2.0.5 and 6.2.1.1 could reveal sensitive server IP configuration information to an unauthorized. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

A Looker user with a Developer role could create a database connection using IBM DB2 driver and, by manipulating LookML, cause Looker to execute a malicious command, due to inadequate filtering of. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable. No vendor patch available.

IBM Concert Software 1.0.0 through 2.0.0 could allow a remote attacker to hijack the clicking action of the victim. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

IBM webMethods Integration 10.11 through 10.11_Core_Fix22, 10.15 through 10.15_Core_Fix22, and 11.1 through 11.1_Core_Fix6 IBM webMethods Integration allow an authenticated user to execute arbitrary. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

IBM Concert 1.0.0 through 2.0.0 could disclose sensitive server information from HTTP response headers that could aid in further attacks against the system. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

IBM Concert 1.0.0 through 2.0.0 could allow a local user to forge log files to impersonate other users or hide their identity due to improper neutralization of output. Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

IBM Concert 1.0.0 through 2.0.0 could allow a local user with specific permission to obtain sensitive information from files due to uncontrolled recursive directory copying. Rated medium severity (CVSS 5.1), this vulnerability is no authentication required. No vendor patch available.

IBM Concert 1.0.0 through 2.0.0 is vulnerable to cross-site scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

IBM Concert 1.0.0 through 2.0.0 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict-Transport-Security. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

IBM i 7.2, 7.3, 7.4, 7.5, and 7.6 are impacted by obtaining an information vulnerability in the database plan cache implementation. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

IBM Storage Virtualize 8.4, 8.5, 8.7, and 9.1 IKEv1 implementation allows remote attackers to obtain sensitive information from device memory via a Security Association (SA) negotiation request. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.