SB2026031942 - Multiple vulnerabilities in IBM Cloud Pak for Business Automation
Published: March 19, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 26 secuirty vulnerabilities.
1) Information disclosure (CVE-ID: CVE-2025-22227)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to Reactor Netty HTTP client leaks credentials in some specific scenarios with chained redirects. A remote attacker can gain access to sensitive information.
2) File and Directory Information Exposure (CVE-ID: CVE-2025-36058)
The vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application. A local user can disclose sensitive configuration information in a config map.
3) Protection Mechanism Failure (CVE-ID: CVE-2025-41248)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to the annotation detection mechanism does not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. A remote attacker can gain access to sensitive information.
4) Protection Mechanism Failure (CVE-ID: CVE-2025-41249)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to the annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. A remote attacker can gain access to sensitive information.
5) Resource exhaustion (CVE-ID: CVE-2025-5115)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when handling HTTP/2 requests. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
6) Security features bypass (CVE-ID: CVE-2025-22228)
The vulnerability allows a remote attacker to gain unauthorized access to the application.
The vulnerability exists due to BCryptPasswordEncoder does not properly enforce maximum password length and will return "true" for passwords larger than 72 characters as long as the first 72 characters are the same. This can be used set weak passwords that can be easily brute-forced.
7) Improper input validation (CVE-ID: CVE-2019-0227)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The vulnerability exists due to improper input validation within the Core (Apache Axis) component in Oracle Communications Design Studio. A remote non-authenticated attacker can exploit this vulnerability to execute arbitrary code.
8) Resource exhaustion (CVE-ID: CVE-2016-3092)
The vulnerability allows a remote attacker to cause denial of service conditions on the target system.The vulnerability exists due to input validation error when processing very long boundary strings within the MultipartStream class in Apache Commons Fileupload. A remote user can cause denial of service conditions by sending specially crafted boundary string and consume excessive CPU resources.
Successful exploitation of this vulnerability may result in denial of service attack.
9) Desereliazation of untrusted data (CVE-ID: CVE-2016-1000031)
The vulnerability allows a remote unauthenticated attacker to execute arbitrary code on the target system.The weakness exists in DiskFileItem class of the FileUpload library due to deserialization of untrusted data. A remote attacker can execute arbitrary code under the context of the current process.
Successful exploitation of the vulnerability may result in system compromise.
10) Execution with unnecessary privileges (CVE-ID: CVE-2025-36059)
The vulnerability allows a local user to execute OS system calls.
The vulnerability exists due to application binary has a setuid bit. A local low-privileged user with access to the container to execute OS system calls.
11) Missing authorization (CVE-ID: CVE-2025-22235)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The
vulnerability exists due to an error in EndpointRequest.to()
implementation. The function creates a matcher for null/** if the
actuator endpoint, for which the EndpointRequest has been created, is
disabled or not exposed. A remote non-authenticated attacker can gain
unauthorized access to the application.
12) Input validation error (CVE-ID: CVE-2014-3596)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The getCN function in Apache Axis 1.4 and earlier does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5784. <a href="http://cwe.mitre.org/data/definitions/297.html" target="_blank">CWE-297: Improper Validation of Certificate with Host Mismatch</a>
13) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2023-51441)
The disclosed vulnerability allows a remote user to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input in the service admin HTTP API. A remote user can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.
Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.
14) Improper Authorization (CVE-ID: CVE-2024-38827)
The vulnerability allows a remote attacker to bypass authorization.
The vulnerability exists due to presence of Locale dependent exceptions when using String.toLowerCase() and String.toUpperCase() for string comparison. A remote attacker can bypass authorization rules using specially crafted input.
Note, the vulnerability is related to #VU98795 (CVE-2024-38820).
15) Resource exhaustion (CVE-ID: CVE-2025-55163)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when handling HTTP/2 requests. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
16) Use of insufficiently random values (CVE-ID: CVE-2020-36732)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to the application generates random numbers by concatenating the string "0." with an
integer, which makes the output more predictable than necessary. A remote attacker can gain access to sensitive information.
17) Input validation error (CVE-ID: CVE-2024-38828)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input passed via Spring MVC controller method with @RequestBody byte[] parameter. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
18) Out-of-bounds read (CVE-ID: CVE-2024-36124)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due Snappy tries to read outside the bounds of the given byte arrays when uncompressing certain data. A remote attacker can create a non-deterministic behavior or crash the JVM.
19) Path traversal (CVE-ID: CVE-2024-38819)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences in applications that serve static resources through the functional web frameworks WebMvc.fn or WebFlux.fn. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.
20) Cross-site scripting (CVE-ID: CVE-2018-8032)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists in the default servlet/services due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
21) Improper authorization (CVE-ID: CVE-2025-41232)
The vulnerability allows a remote attacker to compromise the affected application.
The vulnerability exists due to an error in Spring Security Aspects, that may not correctly locate method security annotations on private methods. A remote non-authenticated attacker can bypass authorization checks and gain unauthorized access to the application.
The vulnerability affects system that:
- use
@EnableMethodSecurity(mode=ASPECTJ)andspring-security-aspects, and - have Spring Security method annotations on a private method
22) Information disclosure (CVE-ID: CVE-2025-30474)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to an error in the FtpFileObject class, that can expose passwords in clear text. A remote attacker can gain unauthorized access to sensitive information.
23) Path traversal (CVE-ID: CVE-2025-27553)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing double dots, e.g. ".." in file names. A remote attacker can view files outside of the current scope.
24) Resource exhaustion (CVE-ID: CVE-2025-22868)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to the jws package does not properly control consumption of internal resources when handling malformed tokens. A remote attacker can pass a malformed JWT token to the application, trigger resource exhaustion and perform a denial of service (DoS) attack.
25) Uncontrolled Recursion (CVE-ID: CVE-2025-48924)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to the methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop. A remote attacker can trigger uncontrolled recursion and perform a denial of service (DoS) attack.
26) Input validation error (CVE-ID: CVE-2012-5784)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to Apache Axis did not verify that the server host name matched the domain name in the subject's Common Name (CN) or subjectAltName field in X.509 certificates. A remote attacker can pass specially crafted input to the application and spoof an SSL server if they had a certificate that was valid for any domain name.
Remediation
Install update from vendor's website.