SB2026022530 - Multiple vulnerabilities in IBM Automation Decision Services

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Use of insufficiently random values (CVE-ID: CVE-2025-7783)

The vulnerability allows a remote attacker to perform parameter injection attacks.

The vulnerability exists due to software uses a weak Math.random() method to generated random values for multipart form-encoded data. A remote attacker can observe values produced by Math.random in the target application and predict the random number used to generate form-data's boundary value and inject arbitrary parameters into requests. 

2) Input validation error (CVE-ID: CVE-2025-47913)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input when handling SSH_AGENT_SUCCESS responses in ssh agent. A malicious server can send a specially crafted response to the ssh client and crash it. 

3) Exposure of Resource to Wrong Sphere (CVE-ID: CVE-2025-49574)

The vulnerability allows a remote user to gain access to sensitive information.

The vulnerability exists due to an error when duplicating a duplicated context. A remote user can gain access to sensitive information, such as request scope, security details, and metadata.

4) Out-of-bounds read (CVE-ID: CVE-2024-36124)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due Snappy tries to read outside the bounds of the given byte arrays when uncompressing certain data. A remote attacker can create a non-deterministic behavior or crash the JVM.

Remediation

Install update from vendor's website.

References

• https://www.ibm.com/support/pages/node/7261723