CVE-2025-36058
Configuration Information Disclosure in IBM Business Automation Workflow Containers
Publication date: 2026-01-20
Last updated on: 2026-02-17
Assigner: IBM Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ibm | business_automation_workflow | 24.0.1 |
| ibm | business_automation_workflow | 24.0.0 |
| ibm | business_automation_workflow | 24.0.1 |
| ibm | business_automation_workflow | 24.0.1 |
| ibm | business_automation_workflow | 24.0.1 |
| ibm | business_automation_workflow | 24.0.1 |
| ibm | business_automation_workflow | 25.0.0 |
| ibm | business_automation_workflow | 24.0.0 |
| ibm | business_automation_workflow | 24.0.0 |
| ibm | business_automation_workflow | 24.0.0 |
| ibm | business_automation_workflow | 24.0.0 |
| ibm | business_automation_workflow | 24.0.0 |
| ibm | business_automation_workflow | 24.0.0 |
| ibm | business_automation_workflow | 25.0.0 |
| ibm | business_automation_workflow | 25.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-538 | The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability, identified as CVE-2025-36058, affects IBM Cloud Pak for Business Automation and IBM Business Automation Workflow containers versions 24.0.0 through 25.0.0 (including certain interim fixes). It involves the potential disclosure of sensitive configuration information through a config map. This means that sensitive data stored in configuration files could be exposed to unauthorized local users with access to the container environment. The issue is classified under CWE-538, which relates to the insertion of sensitive information into externally accessible files or directories. [1]
How can this vulnerability impact me? :
The impact of this vulnerability is primarily on confidentiality. An attacker with local access to the affected containers could gain access to sensitive configuration information that should remain protected. This could lead to unauthorized disclosure of sensitive data, potentially compromising security settings or credentials stored in the config map. However, the vulnerability does not affect integrity or availability of the system. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should apply the appropriate fix pack for your IBM Business Automation Workflow container version: apply fix pack 24.0.0-IF007 for version 24.0.0 series, fix pack 24.0.1-IF006 for version 24.0.1 series, or fix pack 25.0.0-IF003 for version 25.0.0 series. Unsupported or end-of-life versions are not covered, so upgrading to a supported fixed version is recommended. No other workarounds or mitigations are provided. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.