CVE-2025-36133
BaseFortify
Publication date: 2025-09-01
Last updated on: 2025-12-18
Assigner: IBM Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ibm | app_connect_enterprise_certified_containers_operands | 12.0.9.0 |
| ibm | app_connect_enterprise_certified_containers_operands | 12.0.9.0 |
| ibm | app_connect_enterprise_certified_containers_operands | 12.0.10.0 |
| ibm | app_connect_enterprise_certified_containers_operands | 12.0.10.0 |
| ibm | app_connect_enterprise_certified_containers_operands | 12.0.10.0 |
| ibm | app_connect_enterprise_certified_containers_operands | 12.0.11.1 |
| ibm | app_connect_enterprise_certified_containers_operands | 12.0.11.2 |
| ibm | app_connect_enterprise_certified_containers_operands | 12.0.11.3 |
| ibm | app_connect_enterprise_certified_containers_operands | 12.0.12 |
| ibm | app_connect_enterprise_certified_containers_operands | 12.0.12 |
| ibm | app_connect_enterprise_certified_containers_operands | 12.0.12 |
| ibm | app_connect_enterprise_certified_containers_operands | 12.0.12 |
| ibm | app_connect_enterprise_certified_containers_operands | 12.0.12 |
| ibm | app_connect_enterprise_certified_containers_operands | 12.0.12 |
| ibm | app_connect_enterprise_certified_containers_operands | 12.0.12 |
| ibm | app_connect_enterprise_certified_containers_operands | 12.0.12 |
| ibm | app_connect_enterprise_certified_containers_operands | 12.0.12 |
| ibm | app_connect_enterprise_certified_containers_operands | 12.0.12 |
| ibm | app_connect_enterprise_certified_containers_operands | 12.0.12 |
| ibm | app_connect_enterprise_certified_containers_operands | 12.0.12 |
| ibm | app_connect_enterprise_certified_containers_operands | 12.0.12 |
| ibm | app_connect_enterprise_certified_containers_operands | 12.0.12 |
| ibm | app_connect_enterprise_certified_containers_operands | 12.0.12.0 |
| ibm | app_connect_enterprise_certified_containers_operands | 12.0.12.0 |
| ibm | app_connect_enterprise_certified_containers_operands | 12.0.12.2 |
| ibm | app_connect_enterprise_certified_containers_operands | 12.0.12.3 |
| ibm | app_connect_enterprise_certified_containers_operands | 12.0.12.4 |
| ibm | app_connect_enterprise_certified_containers_operands | 12.0.12.5 |
| ibm | app_connect_enterprise_certified_containers_operands | 13.0.1.0 |
| ibm | app_connect_enterprise_certified_containers_operands | 13.0.1.0 |
| ibm | app_connect_enterprise_certified_containers_operands | 13.0.1.1 |
| ibm | app_connect_enterprise_certified_containers_operands | 13.0.2.0 |
| ibm | app_connect_enterprise_certified_containers_operands | 13.0.2.1 |
| ibm | app_connect_enterprise_certified_containers_operands | 13.0.2.2 |
| ibm | app_connect_enterprise_certified_containers_operands | 13.0.2.2 |
| ibm | app_connect_enterprise_certified_containers_operands | 13.0.3.0 |
| ibm | app_connect_enterprise_certified_containers_operands | 13.0.3.1 |
| ibm | app_connect_enterprise_certified_containers_operands | 13.0.4.0 |
| ibm | app_connect_enterprise_certified_containers_operands | 13.0.4.1 |
| ibm | app_connect_operator | From 9.2.0 (inc) to 11.6.0 (inc) |
| ibm | app_connect_operator | From 12.0.0 (inc) to 12.15.0 (exc) |
| ibm | app_connect_operator | From 12.1.0 (inc) to 12.15.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-532 | The product writes sensitive information to a log file. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-36133 is a vulnerability in IBM App Connect Enterprise Certified Container where during installation, potentially sensitive information is stored in log files. These log files can be accessed by a local user on the container, which leads to a loss of confidentiality. The issue is classified as CWE-532, meaning sensitive information is improperly inserted into log files. Exploiting this vulnerability requires local access with high attack complexity but no privileges or user interaction. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by exposing sensitive information stored in installation log files to any local user on the container. This exposure results in a confidentiality breach, potentially allowing unauthorized users to access sensitive data. However, it does not affect the integrity or availability of the system. The vulnerability requires local access and is complex to exploit. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves sensitive information being stored in log files during installation that can be read by a local user on the container. Detection would involve inspecting the log files generated during the installation of IBM App Connect Enterprise Certified Container for potentially sensitive information. Since the vulnerability requires local access and is related to log file contents, commands to check log files on the container such as 'cat', 'less', or 'grep' can be used to search for sensitive data in installation logs. However, no specific detection commands or automated detection methods are provided. [1]
What immediate steps should I take to mitigate this vulnerability?
IBM recommends upgrading to fixed versions to mitigate this vulnerability. For Continuous Delivery releases, upgrade to App Connect Enterprise Certified Container Operator version 12.15.0 or higher, ensuring all DesignerAuthoring components are at 13.0.4.2-r1 or higher. For 12.0 LTS releases, upgrade to version 12.0.15 or higher with DesignerAuthoring components at 12.0.12-r15 or higher. No workarounds or mitigations are available other than upgrading. [1]