Security bulletins and fixes

Stay informed about known security vulnerabilities and fixes for IBM Cloud Pak® for AIOps by subscribing to the security bulletins and by reviewing the list of fixed security-related vulnerabilities.

Security bulletins

Subscribe to IBM Cloud Pak for AIOps notifications by following these steps:

  1. Go to the IBM Support site Opens in a new tab.

  2. Scroll to the Support basics section. Then, click the Notification settings card.

  3. Log in to IBM with your IBMid and password to continue.

  4. Enter IBM Cloud Pak for AIOps in the Product lookup field. Click Subscribe.

  5. In the Select document types page, select Security bulletin and Fixes > Security Vulnerability (Sec/Int). You can also select any other document types that you need to keep informed about.

  6. Click Submit.

  7. To configure how you receive notifications, click Delivery preferences in the banner at the beginning of the page. Edit your settings as needed.

Fixed security-related vulnerabilities in version 4.9.0

Review the following table, which lists the fixed reported security-related vulnerabilities with IBM Cloud Pak for AIOps, and any included IBM or third-party software.

Table. Fixed Common Vulnerabilities and Exposures in Version 4.9.0
CVE-ID Issue Description
CVE-2025-1302 Opens in a new tab Node.js jsonpath-plus module code execution Node.js jsonpath-plus module could allow a remote attacker to execute arbitrary code on the system, caused by improper input sanitization.
CVE-2025-22150 Opens in a new tab Node.js undici information disclosure Node.js undici could allow a remote attacker to obtain sensitive information, caused by the use of insufficiently random values in undici fetch().
CVE-2025-23085 Opens in a new tab Node.js denial of service Node.js is vulnerable to a denial of service, caused by a memory leak when a remote peer abruptly closes the socket without sending a GOAWAY notification. This flaw could lead to increased memory consumption and potential denial of service under certain conditions.
CVE-2025-25200 Opens in a new tab
CVE-2024-26935 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by an error related to unremoved procfs host directory regression. A local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-53104 Opens in a new tab Linux Kernel privilege escalation Linux Kernel could allow a local authenticated attacker to gain elevated privileges, caused by an out-of-bounds write error during skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format.
CVE-2024-12085 Opens in a new tab RsyncProject Rsync information disclosure RsyncProject Rsync could allow a remote attacker to obtain one byte of uninitialized stack data at a time, caused by a flaw when comparing file checksums.
CVE-2024-47175 Opens in a new tab OpenPrinting libppd command execution OpenPrinting libppd could allow a remote attacker to execute arbitrary command on the system, caused by the failure to validate or sanitize the IPP attributes when writing them to a temporary PPD file by the ppdCreatePPDFromIPP2 function in libppd. By sending a specially crafted request using IPP attribute, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
CVE-2024-27137 Opens in a new tab Apache Cassandra man-in-the-middle Apache Cassandra is vulnerable to a man-in-the-middle attack, caused by an unrestricted deserialization of JMX authentication credentials.
CVE-2025-23015 Opens in a new tab Apache Cassandra privilege escalation Apache Cassandra could allow a remote authenticated attacker to gain elevated privileges on the system, caused by a privilege defined with unsafe actions flaw.
CVE-2025-24860 Opens in a new tab Apache Cassandra security bypass Incorrect Authorization vulnerability in Apache Cassandra allowing users to access a datacenter or IP/CIDR groups they should not be able to when using CassandraNetworkAuthorizer or CassandraCIDRAuthorizer. Users with restricted data center access can update their own permissions via data control language (DCL) statements on affected versions. This issue affects Apache Cassandra: from 4.0.0 through 4.0.15 and from 4.1.0 through 4.1.7 for CassandraNetworkAuthorizer, and from 5.0.0 through 5.
CVE-2023-45288 Opens in a new tab Golang Go denial of service Golang Go is vulnerable to a denial of service, caused by a memory exhaustion flaw due to flood of CONTINUATION frames in the HTTP/2 protocol stack in the net/http and x/net/http2 packages. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2024-24790 Opens in a new tab Golang Go unspecified An unspecified error related to various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses in the net/netip package in Golang Go has an unknown impact and attack vector.
CVE-2024-34155 Opens in a new tab Golang Go denial of service Golang Go is vulnerable to a denial of service, caused by a stack exhaustion in all Parse* functions. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2024-28863 Opens in a new tab isaacs node-tar denial of service isaacs node-tar is vulnerable to a denial of service, caused by the lack of folders count validation. By sending a specially crafted request, an remote attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-29018 Opens in a new tab moby information disclosure moby could allow a remote attacker to obtain sensitive information, caused by incorrect resource transfer between spheres. By sending a specially crafted request, a remote attacker could exploit this vulnerability to obtain sensitive information.
CVE-2024-41110 Opens in a new tab Moby authz zero length regression Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low. Using a specially-crafted API request, an Engine API client could make the daemon forward the request or response to an authorization plugin without the body. In certain circumstances, the authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it. A security issue was discovered In 2018, where an attacker could bypass AuthZ plugins using a specially crafted API request.
CVE-2024-45310 Opens in a new tab Open Container Initiative runc security bypass Open Container Initiative runc could allow a remote attacker to bypass security restrictions, caused by a race condition enabling link following flaw. By persuading a victim to use a specially crafted volume configuration, an attacker could exploit this vulnerability to create empty files or directories on the host.
CVE-2025-21613 Opens in a new tab
CVE-2025-21614 Opens in a new tab
CVE-2024-52046 Opens in a new tab Apache MINA code execution Apache MINA could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization flaw in ObjectSerializationDecoder. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVE-2023-2727 Opens in a new tab Kubernetes security bypass Kubernetes could allow a remote authenticated attacker to bypass security restrictions, caused by a flaw when the ImagePolicyWebhook admission plugin is used together with ephemeral containers. By sending a specially crafted request, an attacker could exploit this vulnerability to launch restricted containers.
CVE-2023-2728 Opens in a new tab Kubernetes security bypass Kubernetes could allow a remote authenticated attacker to bypass security restrictions, caused by a flaw when the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with ephemeral containers. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass the mountable secrets policy to launch containers.
CVE-2024-7143 Opens in a new tab Pulpcore: rbac permissions incorrectly assigned in tasks that create objects A flaw was found in the Pulp package. When a role-based access control (RBAC) object in Pulp is set to assign permissions on its creation, it uses the AutoAddObjPermsMixin (typically the add_roles_for_object_creator method). This method finds the object creator by checking the current authenticated user. For objects that are created within a task, this current user is set by the first user with any permissions on the task object. This means the oldest user with model/domain-level task permissions will always be set as the current user of a task, even if they didn't dispatch the task. Therefore, all objects created in tasks will have their permissions assigned to this oldest user, and the creating user will receive nothing.
CVE-2022-2996 Opens in a new tab Python python-scciclient package man-in-the-middle Python python-scciclient package is vulnerable to a man-in-the-middle attack, caused by improper validation of server certificate during a HTTPS connection. An attacker could exploit this vulnerability to launch a man-in-the-middle attack and gain access to the communication channel between endpoints to obtain sensitive information or further compromise the system.
CVE-2023-5764 Opens in a new tab Ansible code execution Ansible could allow a local authenticated attacker to execute arbitrary code on the system, caused by a template injection flaw. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVE-2024-0690 Opens in a new tab Red Hat Ansible information disclosure Red Hat Ansible could allow a local authenticated attacker to obtain sensitive information, caused by a failure to respect the ANSIBLE_NO_LOG configuration in some scenarios. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain decrypted secret values information, and use this information to launch further attacks against the affected system.
CVE-2024-11079 Opens in a new tab Ansible-core: unsafe tagging bypass via hostvars object in ansible-core A flaw was found in Ansible-Core. This vulnerability allows attackers to bypass unsafe content protections using the hostvars object to reference and execute templated content. This issue can lead to arbitrary code execution if remote data or module outputs are improperly templated within playbooks.
CVE-2024-8775 Opens in a new tab Ansible information disclosure Ansible could allow a local authenticated attacker to obtain sensitive information, caused by a flaw during execution of a playbook. By gaining access to the playbook output or logs, an attacker could exploit this vulnerability to obtain sensitive secrets information, and use this information to launch further attacks against the affected system.
CVE-2024-9902 Opens in a new tab Red Hat Ansible security bypass Red Hat Ansible could allow a local authenticated attacker to bypass security restrictions, caused by a flaw in the ansible-core user module. By sending a specially crafted request, an attacker could exploit this vulnerability to silently create or replace the contents of any file on any system path and take ownership of it.
CVE-2025-25184 Opens in a new tab Rack log injection Rack could allow a remote attacker to manipulate log entries, caused by a log injection flaw in Rack::CommonLogger. An attacker could exploit this vulnerability to obscure real activity or inject malicious data into log files.
CVE-2025-27111 Opens in a new tab Rack security bypass Rack could allow a remote attacker to manipulate log entries, caused by a log injection flaw in Rack::Sendfile.
CVE-2024-55565 Opens in a new tab Nano ID denial of service Nano ID is vulnerable to a denial of service, caused by improper input validation by the non-integer values. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2023-45857 Opens in a new tab Axios cross-site request forgery Axios is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By inserting the X-XSRF-TOKEN header using the secret XSRF-TOKEN cookie value in all requests to any server when the XSRF-TOKEN0 cookie is available, and the withCredentials setting is turned on, an attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
CVE-2024-35255 Opens in a new tab Microsoft Azure privilege escalation Microsoft Azure Identity Libraries and Microsoft Authentication Library could allow a local authenticated attacker to gain elevated privileges on the system. By sending a specially crafted request, an attacker could exploit this vulnerability to elevate privileges and read any file on the file system with SYSTEM access permissions.
CVE-2025-25283 Opens in a new tab parse-duraton denial of service parse-duraton is vulnerable to a denial of service, caused by an event loop delay and an out of memory that would crash a running Node.js application.
CVE-2024-1351 Opens in a new tab MongoDB Server security bypass MongoDB Server could allow a remote attacker to bypass security restrictions, caused by improper certificate validation in certain configurations of --tlsCAFile and tls.CAFile. By sending a specially crafted request, an attacker could exploit this vulnerability to allow untrusted connections to succeed.
CVE-2024-6384 Opens in a new tab MongoDB Enterprise Server security bypass MongoDB Enterprise Server could allow a remote authenticated attacker to bypass security restrictions. An attacker could exploit this vulnerability to download Hot Backup files.
CVE-2024-8305 Opens in a new tab MongoDB denial of service MongoDB is vulnerable to a denial of service, caused by an incorrect enforcement of index constraints on secondaries. By sending a specially crafted request, a remote authenticated attacker could exploit this vulnerability to cause multiple secondaries crash, and results in a denial of service condition.
CVE-2021-32050 Opens in a new tab Multiple MongoDB Drivers information disclosure Multiple MongoDB Drivers could allow a local authenticated attacker to obtain sensitive information, caused by a flaw when the command listener feature is enabled. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain security-sensitive data, and use this information to launch further attacks against the affected system.
CVE-2023-26159 Opens in a new tab follow-redirects open redirect follow-redirects could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability. An attacker could exploit this vulnerability using a specially crafted URL to redirect a victim to arbitrary Web sites.
CVE-2024-28849 Opens in a new tab Node.js follow-redirects module information disclosure Node.js follow-redirects module could allow a remote authenticated attacker to obtain sensitive information, caused by the leakage of credentials when clearing authorization header during cross-domain redirect, but keeping the proxy-authentication header. An attacker could exploit this vulnerability to obtain credentials and other sensitive information.
CVE-2024-45590 Opens in a new tab expressjs body-parser denial of service expressjs body-parser is vulnerable to a denial of service, caused by a flaw when url encoding is enabled. By sending a specially crafted payload, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2022-21221 Opens in a new tab Go fasthttp package directory traversal Go fasthttp package could allow a remote attacker to traverse directories on the system, caused by improper validation of user requests. by the ServeFile function. An attacker could send a specially-crafted URL request containing the backslash (%5c) character to read or write arbitrary files on the system.
CVE-2023-48795 Opens in a new tab OpenSSH machine-in-the-middle OpenSSH is vulnerable to a machine-in-the-middle attack, caused by a flaw in the extension negotiation process in the SSH transport protocol when used with certain OpenSSH extensions. A remote attacker could exploit this vulnerability to launch a machine-in-the-middle attack and strip an arbitrary number of messages after the initial key exchange, breaking SSH extension negotiation and downgrading the client connection security.
CVE-2024-3817 Opens in a new tab HashiCorp go-getter code execution HashiCorp go-getter could allow a remote attacker to execute arbitrary code on the system, caused by an argument injection flaw. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVE-2024-6257 Opens in a new tab HashiCorp go-getter code execution HashiCorp go-getter could allow a remote authenticated attacker to execute arbitrary code on the system, caused by improper input validation.. By using a specially crafted Git Configuration, an attacker could exploit this vulnerability to execute arbitrary code on the system.

Fixed security-related vulnerabilities in previous versions

Review the following documentation, which includes the list of fixed reported security-related vulnerabilities in previous versions of IBM Cloud Pak for AIOps: