Vulnerability-Lookup

CNVD-2026-12669

Vulnerability from cnvd - Published: 2026-03-05

Title

IBM Business Automation Workflow containers和IBM Business Automation Workflow traditional存在XML外部实体注入漏洞

Description

IBM Business Automation Workflow是美国国际商业机器（IBM）公司的一套工作流程自动化解决方案。该产品主要用于工作流程管理、合规性管理，并具有工作流程可见性和可扩展等特点。 IBM Business Automation Workflow containers V25.0.0至V25.0.0-IF007， V24.0.1至V24.0.1-IF007， V24.0.0至V24.0.0-IF007和IBM Business Automation Workflow traditional V25.0.0, V24.0.1, V24.0.0存在XML外部实体注入漏洞，攻击者可利用该漏洞导致泄露敏感信息或消耗内存资源。

Severity

高

Patch Name

IBM Business Automation Workflow containers和IBM Business Automation Workflow traditional存在XML外部实体注入漏洞的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://www.ibm.com/support/pages/node/7259321

Reference

https://www.ibm.com/support/pages/node/7259321

Impacted products

Name
['IBM Business Automation Workflow containers >=V25.0.0，<=V25.0.0-IF002', 'IBM Business Automation Workflow containers >=V24.0.1，<=V24.0.1-IF005', 'IBM Business Automation Workflow containers >=V24.0.0，<=V24.0.0-IF007', 'IBM Business Automation Workflow traditional 25.0.0', 'IBM Business Automation Workflow traditional 24.0.1', 'IBM Business Automation Workflow traditional 24.0.0']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2025-13096",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2025-13096"
    }
  },
  "description": "IBM Business Automation Workflow\u662f\u7f8e\u56fd\u56fd\u9645\u5546\u4e1a\u673a\u5668\uff08IBM\uff09\u516c\u53f8\u7684\u4e00\u5957\u5de5\u4f5c\u6d41\u7a0b\u81ea\u52a8\u5316\u89e3\u51b3\u65b9\u6848\u3002\u8be5\u4ea7\u54c1\u4e3b\u8981\u7528\u4e8e\u5de5\u4f5c\u6d41\u7a0b\u7ba1\u7406\u3001\u5408\u89c4\u6027\u7ba1\u7406\uff0c\u5e76\u5177\u6709\u5de5\u4f5c\u6d41\u7a0b\u53ef\u89c1\u6027\u548c\u53ef\u6269\u5c55\u7b49\u7279\u70b9\u3002\n\nIBM Business Automation Workflow containers V25.0.0\u81f3V25.0.0-IF007\uff0c V24.0.1\u81f3V24.0.1-IF007\uff0c V24.0.0\u81f3V24.0.0-IF007\u548cIBM Business Automation Workflow traditional V25.0.0, V24.0.1, V24.0.0\u5b58\u5728XML\u5916\u90e8\u5b9e\u4f53\u6ce8\u5165\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u6cc4\u9732\u654f\u611f\u4fe1\u606f\u6216\u6d88\u8017\u5185\u5b58\u8d44\u6e90\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.ibm.com/support/pages/node/7259321",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2026-12669",
  "openTime": "2026-03-05",
  "patchDescription": "IBM Business Automation Workflow\u662f\u7f8e\u56fd\u56fd\u9645\u5546\u4e1a\u673a\u5668\uff08IBM\uff09\u516c\u53f8\u7684\u4e00\u5957\u5de5\u4f5c\u6d41\u7a0b\u81ea\u52a8\u5316\u89e3\u51b3\u65b9\u6848\u3002\u8be5\u4ea7\u54c1\u4e3b\u8981\u7528\u4e8e\u5de5\u4f5c\u6d41\u7a0b\u7ba1\u7406\u3001\u5408\u89c4\u6027\u7ba1\u7406\uff0c\u5e76\u5177\u6709\u5de5\u4f5c\u6d41\u7a0b\u53ef\u89c1\u6027\u548c\u53ef\u6269\u5c55\u7b49\u7279\u70b9\u3002\r\n\r\nIBM Business Automation Workflow containers V25.0.0\u81f3V25.0.0-IF007\uff0c V24.0.1\u81f3V24.0.1-IF007\uff0c V24.0.0\u81f3V24.0.0-IF007\u548cIBM Business Automation Workflow traditional V25.0.0, V24.0.1, V24.0.0\u5b58\u5728XML\u5916\u90e8\u5b9e\u4f53\u6ce8\u5165\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u6cc4\u9732\u654f\u611f\u4fe1\u606f\u6216\u6d88\u8017\u5185\u5b58\u8d44\u6e90\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "IBM Business Automation Workflow containers\u548cIBM Business Automation Workflow traditional\u5b58\u5728XML\u5916\u90e8\u5b9e\u4f53\u6ce8\u5165\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "IBM Business Automation Workflow containers \u003e=V25.0.0\uff0c\u003c=V25.0.0-IF002",
      "IBM Business Automation Workflow containers \u003e=V24.0.1\uff0c\u003c=V24.0.1-IF005",
      "IBM Business Automation Workflow containers \u003e=V24.0.0\uff0c\u003c=V24.0.0-IF007",
      "IBM Business Automation Workflow traditional 25.0.0",
      "IBM Business Automation Workflow traditional 24.0.1",
      "IBM Business Automation Workflow traditional 24.0.0"
    ]
  },
  "referenceLink": "https://www.ibm.com/support/pages/node/7259321",
  "serverity": "\u9ad8",
  "submitTime": "2026-02-11",
  "title": "IBM Business Automation Workflow containers\u548cIBM Business Automation Workflow traditional\u5b58\u5728XML\u5916\u90e8\u5b9e\u4f53\u6ce8\u5165\u6f0f\u6d1e"
}

CVE-2025-13096 (GCVE-0-2025-13096)

Vulnerability from cvelistv5 – Published: 2026-02-02 20:56 – Updated: 2026-02-03 15:39

Title

XML eXternal Entity injection (XXE) vulnerability affect IBM Business Automation Workflow -

Summary

IBM Business Automation Workflow containers V25.0.0 through V25.0.0-IF007, V24.0.1 - V24.0.1-IF007, V24.0.0 - V24.0.0-IF007 and IBM Business Automation Workflow traditional V25.0.0, V24.0.1, V24.0.0 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.

Severity ?

7.1 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L

CWE

CWE-918 - Server-Side Request Forgery (SSRF)

Assigner

ibm

References

URL

Tags

https://www.ibm.com/support/pages/node/7259321

vendor-advisorypatch

Impacted products

Vendor

Product

Version

IBM

Business Automation Workflow containers

Affected: V25.0.0 , ≤ V25.0.0-IF002 (semver)
Affected: V24.0.1 , ≤ V24.0.1-IF005 (semver)
Affected: V24.0.0 , ≤ V24.0.0-IF007 (semver)
    cpe:2.3:a:ibm:business_automation_workflow:24.0.0:*:*:*:containers:*:*:*
    cpe:2.3:a:ibm:business_automation_workflow:24.0.0:if008:*:*:containers:*:*:*
    cpe:2.3:a:ibm:business_automation_workflow:24.0.1:*:*:*:containers:*:*:*
    cpe:2.3:a:ibm:business_automation_workflow:24.0.1:if006:*:*:containers:*:*:*
    cpe:2.3:a:ibm:business_automation_workflow:25.0.0:*:*:*:containers:*:*:*
    cpe:2.3:a:ibm:business_automation_workflow:25.0.0:if003:*:*:containers:*:*:*

IBM

Business Automation Workflow traditional

Affected: 25.0.0
Affected: 24.0.1
Affected: 24.0.0
    cpe:2.3:a:ibm:business_automation_workflow:24.0.0:*:*:*:traditional:*:*:*
    cpe:2.3:a:ibm:business_automation_workflow:24.0.1:*:*:*:traditional:*:*:*
    cpe:2.3:a:ibm:business_automation_workflow:25.0.0:*:*:*:traditional:*:*:*

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-13096",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-03T15:38:54.551059Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-03T15:39:59.140Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:ibm:business_automation_workflow:24.0.0:*:*:*:containers:*:*:*",
            "cpe:2.3:a:ibm:business_automation_workflow:24.0.0:if008:*:*:containers:*:*:*",
            "cpe:2.3:a:ibm:business_automation_workflow:24.0.1:*:*:*:containers:*:*:*",
            "cpe:2.3:a:ibm:business_automation_workflow:24.0.1:if006:*:*:containers:*:*:*",
            "cpe:2.3:a:ibm:business_automation_workflow:25.0.0:*:*:*:containers:*:*:*",
            "cpe:2.3:a:ibm:business_automation_workflow:25.0.0:if003:*:*:containers:*:*:*"
          ],
          "product": "Business Automation Workflow containers",
          "vendor": "IBM",
          "versions": [
            {
              "lessThanOrEqual": "V25.0.0-IF002",
              "status": "affected",
              "version": "V25.0.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "V24.0.1-IF005",
              "status": "affected",
              "version": "V24.0.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "V24.0.0-IF007",
              "status": "affected",
              "version": "V24.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:ibm:business_automation_workflow:24.0.0:*:*:*:traditional:*:*:*",
            "cpe:2.3:a:ibm:business_automation_workflow:24.0.1:*:*:*:traditional:*:*:*",
            "cpe:2.3:a:ibm:business_automation_workflow:25.0.0:*:*:*:traditional:*:*:*"
          ],
          "product": "Business Automation Workflow traditional",
          "vendor": "IBM",
          "versions": [
            {
              "status": "affected",
              "version": "25.0.0"
            },
            {
              "status": "affected",
              "version": "24.0.1"
            },
            {
              "status": "affected",
              "version": "24.0.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIBM Business Automation Workflow containers V25.0.0 through V25.0.0\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e-IF007\u003c/span\u003e, V24.0.1 - V24.0.1\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e-IF007\u003c/span\u003e, V24.0.0 - V24.0.0\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e-IF007\u003c/span\u003e and IBM Business Automation Workflow traditional V25.0.0, V24.0.1, V24.0.0 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A\u0026nbsp;remote attacker could exploit this vulnerability to expose sensitive information or consume memory\u0026nbsp;resources.\u003c/p\u003e"
            }
          ],
          "value": "IBM Business Automation Workflow containers V25.0.0 through V25.0.0-IF007, V24.0.1 - V24.0.1-IF007, V24.0.0 - V24.0.0-IF007 and IBM Business Automation Workflow traditional V25.0.0, V24.0.1, V24.0.0 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A\u00a0remote attacker could exploit this vulnerability to expose sensitive information or consume memory\u00a0resources."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918 Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-02T20:56:48.318Z",
        "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "shortName": "ibm"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://www.ibm.com/support/pages/node/7259321"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThe recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/mysupport/aCIgJ0000007aZpWAI\"\u003eDT456229\u003c/a\u003e\u0026nbsp;as soon as practical.\u003c/p\u003e\u003cdiv\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eAffected Product(s)\u003c/th\u003e\u003cth\u003eVersion(s)\u003c/th\u003e\u003cth\u003eRemediation / Fix\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eIBM Business Automation Workflow containers\u003c/td\u003e\u003ctd\u003eV25.0.0\u003c/td\u003e\u003ctd\u003eApply \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/readme-ibm-business-automation-workflow-containers-25000-interim-fixes\"\u003e25.0.0-IF003\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Business Automation Workflow containers\u003c/td\u003e\u003ctd\u003eV24.0.1\u003c/td\u003e\u003ctd\u003eApply \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/node/7183042\"\u003e24.0.1-IF006\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Business Automation Workflow containers\u003c/td\u003e\u003ctd\u003eV24.0.0\u003c/td\u003e\u003ctd\u003eApply \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/node/7159792\"\u003e24.0.0-IF008\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Business Automation Workflow traditional\u003c/td\u003e\u003ctd\u003eV25.0.0\u003c/td\u003e\u003ctd\u003eApply \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/mysupport/aCIgJ0000007aZpWAI\"\u003eDT456229\u003c/a\u003e\u0026nbsp;included in \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/readme-ibm-business-automation-workflow-25000-interim-fixes\"\u003e25.0.0-IF003\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Business Automation Workflow traditional \u003c/td\u003e\u003ctd\u003eV24.0.1\u003c/td\u003e\u003ctd\u003eApply \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/mysupport/aCIgJ0000007aZpWAI\"\u003eDT456229\u003c/a\u003e\u0026nbsp;included in \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/readme-ibm-business-automation-workflow-24010-interim-fixes\"\u003e24.0.1-IF006\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Business Automation Workflow traditional \u0026nbsp;\u003c/td\u003e\u003ctd\u003eV24.0.0\u003c/td\u003e\u003ctd\u003eApply \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/mysupport/aCIgJ0000007aZpWAI\"\u003eDT456229\u003c/a\u003e\u0026nbsp;included in \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/readme-ibm-business-automation-workflow-24000-interim-fixes\"\u003e24.0.0-IF008\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003c/div\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cbr\u003e"
            }
          ],
          "value": "The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing  DT456229 https://www.ibm.com/mysupport/aCIgJ0000007aZpWAI \u00a0as soon as practical.\n\nAffected Product(s)Version(s)Remediation / FixIBM Business Automation Workflow containersV25.0.0Apply  25.0.0-IF003 https://www.ibm.com/support/pages/readme-ibm-business-automation-workflow-containers-25000-interim-fixes IBM Business Automation Workflow containersV24.0.1Apply  24.0.1-IF006 https://www.ibm.com/support/pages/node/7183042 IBM Business Automation Workflow containersV24.0.0Apply  24.0.0-IF008 https://www.ibm.com/support/pages/node/7159792 IBM Business Automation Workflow traditionalV25.0.0Apply  DT456229 https://www.ibm.com/mysupport/aCIgJ0000007aZpWAI \u00a0included in  25.0.0-IF003 https://www.ibm.com/support/pages/readme-ibm-business-automation-workflow-25000-interim-fixes IBM Business Automation Workflow traditional V24.0.1Apply  DT456229 https://www.ibm.com/mysupport/aCIgJ0000007aZpWAI \u00a0included in  24.0.1-IF006 https://www.ibm.com/support/pages/readme-ibm-business-automation-workflow-24010-interim-fixes IBM Business Automation Workflow traditional \u00a0V24.0.0Apply  DT456229 https://www.ibm.com/mysupport/aCIgJ0000007aZpWAI \u00a0included in  24.0.0-IF008 https://www.ibm.com/support/pages/readme-ibm-business-automation-workflow-24000-interim-fixes"
        }
      ],
      "title": "XML eXternal Entity injection (XXE) vulnerability affect IBM Business Automation Workflow -",
      "x_generator": {
        "engine": "ibm-cvegen"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
    "assignerShortName": "ibm",
    "cveId": "CVE-2025-13096",
    "datePublished": "2026-02-02T20:56:48.318Z",
    "dateReserved": "2025-11-12T21:55:13.229Z",
    "dateUpdated": "2026-02-03T15:39:59.140Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2026-12669

CVE-2025-13096 (GCVE-0-2025-13096)

Tags

Sightings

Nomenclature