github - ghsa-g96v-hcqx-rf45

GHSA-G96V-HCQX-RF45

Vulnerability from github – Published: 2025-09-11 21:31 – Updated: 2025-09-11 21:31

Details

IBM Fusion 2.2.0 through 2.10.1, IBM Fusion HCI 2.2.0 through 2.10.0, and IBM Fusion HCI for watsonx 2.8.2 through 2.10.0 uses insecure default configurations that could expose AMQStreams without client authentication that could allow an attacker to perform unauthorized actions.

Severity ?

8.7 (High)


                  
                    CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2025-36222"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-11T21:15:34Z",
    "severity": "HIGH"
  },
  "details": "IBM Fusion 2.2.0 through 2.10.1, IBM Fusion HCI 2.2.0 through 2.10.0, and IBM Fusion HCI for watsonx 2.8.2 through 2.10.0 uses insecure default configurations that could expose AMQStreams without client authentication that could allow an attacker to perform unauthorized actions.",
  "id": "GHSA-g96v-hcqx-rf45",
  "modified": "2025-09-11T21:31:55Z",
  "published": "2025-09-11T21:31:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36222"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7244646"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

CVE-2025-36222 (GCVE-0-2025-36222)

Vulnerability from cvelistv5 – Published: 2025-09-11 20:44 – Updated: 2025-09-13 03:55

Summary

Severity ?

8.7 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

CWE

CWE-1188 - Insecure Default Initialization of Resource

Assigner

ibm

References

URL

Tags

https://www.ibm.com/support/pages/node/7244646

vendor-advisorypatch

Impacted products

Vendor

Product

Version

IBM

Fusion

Affected: 2.2.0 , ≤ 2.10.1 (semver)
cpe:2.3:a:ibm:storage_fusion:2.2.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:storage_fusion:2.10.1:*:*:*:*:*:*:*

	IBM	Fusion HCI	Affected: 2.2.0 , ≤ 2.10.0 (semver) cpe:2.3:a:ibm:storage_fusion_hci:2.2.0:::::::* cpe:2.3:a:ibm:storage_fusion_hci:2.10.0:::::::*
	IBM	Fusion HCI for watsonx	Affected: 2.8.2 , ≤ 2.10.0 (semver) cpe:2.3:a:ibm:storage_fusion_hci_for_watsonx:2.8.2:::::::* cpe:2.3:a:ibm:storage_fusion_hci_for_watsonx:2.10.0:::::::*

Credits

Robert Hotchkiss

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-36222",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-09-12T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-09-13T03:55:38.759Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:ibm:storage_fusion:2.2.0:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:storage_fusion:2.10.1:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "product": "Fusion",
          "vendor": "IBM",
          "versions": [
            {
              "lessThanOrEqual": "2.10.1",
              "status": "affected",
              "version": "2.2.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:ibm:storage_fusion_hci:2.2.0:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:storage_fusion_hci:2.10.0:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "product": "Fusion HCI",
          "vendor": "IBM",
          "versions": [
            {
              "lessThanOrEqual": "2.10.0",
              "status": "affected",
              "version": "2.2.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:ibm:storage_fusion_hci_for_watsonx:2.8.2:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:storage_fusion_hci_for_watsonx:2.10.0:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "product": "Fusion HCI for watsonx",
          "vendor": "IBM",
          "versions": [
            {
              "lessThanOrEqual": "2.10.0",
              "status": "affected",
              "version": "2.8.2",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Robert Hotchkiss"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "IBM Fusion 2.2.0 through 2.10.1, IBM Fusion HCI 2.2.0 through 2.10.0, and IBM Fusion HCI for watsonx 2.8.2 through 2.10.0 uses insecure default configurations that could expose AMQStreams without client authentication that could allow an attacker to perform unauthorized actions."
            }
          ],
          "value": "IBM Fusion 2.2.0 through 2.10.1, IBM Fusion HCI 2.2.0 through 2.10.0, and IBM Fusion HCI for watsonx 2.8.2 through 2.10.0 uses insecure default configurations that could expose AMQStreams without client authentication that could allow an attacker to perform unauthorized actions."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1188",
              "description": "CWE-1188 Insecure Default Initialization of Resource",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-11T20:44:06.696Z",
        "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "shortName": "ibm"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://www.ibm.com/support/pages/node/7244646"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIBM strongly recommends addressing the vulnerability now.\u003c/p\u003e\u003cdiv\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eProducts\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eVersion range \u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eRemediation Instructions\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Fusion\u003c/td\u003e\u003ctd\u003e2.2.0 - 2.10.1\u003c/td\u003e\u003ctd\u003eUpgrade to IBM Fusion 2.11.0. See the \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/node/7242341\"\u003eREADME\u003c/a\u003e\u0026nbsp;for instructions..\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Fusion HCI\u003c/td\u003e\u003ctd\u003e2.2.0 - 2.10.0\u003c/td\u003e\u003ctd\u003eUpgrade to IBM Fusion HCI 2.11.0. See the \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/node/7242340\"\u003eREADME\u003c/a\u003e\u0026nbsp;for instructions.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Fusion HCI for watsonx\u003c/td\u003e\u003ctd\u003e2.8.2 - 2.10.0\u003c/td\u003e\u003ctd\u003eUpgrade to IBM Fusion HCI for watsonx 2.11.0. See \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/node/7242340\"\u003eREADME\u003c/a\u003e\u0026nbsp;for instructions.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003c/div\u003e\n\n\u003cbr\u003e"
            }
          ],
          "value": "IBM strongly recommends addressing the vulnerability now.\n\nProductsVersion range Remediation InstructionsIBM Fusion2.2.0 - 2.10.1Upgrade to IBM Fusion 2.11.0. See the  README https://www.ibm.com/support/pages/node/7242341 \u00a0for instructions..IBM Fusion HCI2.2.0 - 2.10.0Upgrade to IBM Fusion HCI 2.11.0. See the  README https://www.ibm.com/support/pages/node/7242340 \u00a0for instructions.IBM Fusion HCI for watsonx2.8.2 - 2.10.0Upgrade to IBM Fusion HCI for watsonx 2.11.0. See  README https://www.ibm.com/support/pages/node/7242340 \u00a0for instructions."
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "IBM Fusion insecure default configuration",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
    "assignerShortName": "ibm",
    "cveId": "CVE-2025-36222",
    "datePublished": "2025-09-11T20:44:06.696Z",
    "dateReserved": "2025-04-15T21:16:41.802Z",
    "dateUpdated": "2025-09-13T03:55:38.759Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-G96V-HCQX-RF45

CVE-2025-36222 (GCVE-0-2025-36222)

Tags

Sightings

Nomenclature