github - ghsa-xr9w-r8gw-wjhw

GHSA-XR9W-R8GW-WJHW

Vulnerability from github – Published: 2025-12-09 00:31 – Updated: 2025-12-09 00:31

Details

IBM Controller 11.1.0 through 11.1.1 and IBM Cognos Controller 11.0.0 through 11.0.1 FP6 stores unencrypted sensitive information in environmental variables files which can be obtained by an authenticated user.

Severity ?

6.5 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2025-36017"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-526"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-08T22:15:51Z",
    "severity": "MODERATE"
  },
  "details": "IBM Controller 11.1.0 through 11.1.1 and IBM Cognos Controller 11.0.0 through 11.0.1 FP6\u00a0stores unencrypted sensitive information in environmental variables files which can be obtained by an authenticated user.",
  "id": "GHSA-xr9w-r8gw-wjhw",
  "modified": "2025-12-09T00:31:16Z",
  "published": "2025-12-09T00:31:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36017"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7253283"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

CVE-2025-36017 (GCVE-0-2025-36017)

Vulnerability from cvelistv5 – Published: 2025-12-08 21:37 – Updated: 2025-12-09 16:05

Summary

Severity ?

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-526

Assigner

ibm

References

URL

Tags

https://www.ibm.com/support/pages/node/7253283

vendor-advisorypatch

Impacted products

	Vendor	Product	Version
	IBM	Controller	Affected: 11.1.0 , ≤ 11.1.1 (semver) cpe:2.3:a:ibm:controller:11.1.0:::::::* cpe:2.3:a:ibm:controller:11.1.1:::::::*

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-36017",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-09T15:24:58.789185Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-09T16:05:34.777Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:ibm:controller:11.1.0:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:controller:11.1.1:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "product": "Controller",
          "vendor": "IBM",
          "versions": [
            {
              "lessThanOrEqual": "11.1.1",
              "status": "affected",
              "version": "11.1.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIBM Controller 11.1.0 through 11.1.1 and IBM Cognos Controller 11.0.0 through 11.0.1 FP6\u0026nbsp;stores unencrypted sensitive information in environmental variables files which can be obtained by an authenticated user.\u003cbr\u003e\u003c/p\u003e"
            }
          ],
          "value": "IBM Controller 11.1.0 through 11.1.1 and IBM Cognos Controller 11.0.0 through 11.0.1 FP6\u00a0stores unencrypted sensitive information in environmental variables files which can be obtained by an authenticated user."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-526",
              "description": "CWE-526",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-08T21:37:10.807Z",
        "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "shortName": "ibm"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://www.ibm.com/support/pages/node/7253283"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "It is strongly recommended that you apply the most recent security updates:\u003cbr\u003e\u0026nbsp; \u0026nbsp; \u003cbr\u003eAffected Product(s)  Version(s)  Fix\u003cbr\u003eIBM Controller  11.1.0 - 11.1.1  Download IBM Controller 11.1.2 from Passport Advantage\u003cbr\u003e\u003cbr\u003eIBM Controller 11.1.2 is available for Cloud deployment."
            }
          ],
          "value": "It is strongly recommended that you apply the most recent security updates:\n\u00a0 \u00a0 \nAffected Product(s)  Version(s)  Fix\nIBM Controller  11.1.0 - 11.1.1  Download IBM Controller 11.1.2 from Passport Advantage\n\nIBM Controller 11.1.2 is available for Cloud deployment."
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "IBM Controller Information Disclosure",
      "x_generator": {
        "engine": "ibm-cvegen"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
    "assignerShortName": "ibm",
    "cveId": "CVE-2025-36017",
    "datePublished": "2025-12-08T21:37:10.807Z",
    "dateReserved": "2025-04-15T21:16:07.863Z",
    "dateUpdated": "2025-12-09T16:05:34.777Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-XR9W-R8GW-WJHW

CVE-2025-36017 (GCVE-0-2025-36017)

Tags

Sightings

Nomenclature