{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14974", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "state": "PUBLISHED", "assignerShortName": "ibm", "dateReserved": "2025-12-19T15:09:58.873Z", "datePublished": "2026-03-25T20:20:27.484Z", "dateUpdated": "2026-03-25T20:20:27.484Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2026-03-25T20:20:27.484Z"}, "title": "IBM InfoSphere Information Server is vulnerable due to Insecure Direct Object Reference", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "affected": [{"vendor": "IBM", "product": "InfoSphere Information Server", "versions": [{"status": "affected", "version": "11.7.0.0", "lessThanOrEqual": "11.7.1.6", "versionType": "semver"}], "cpes": ["cpe:2.3:a:ibm:infosphere_information_server:11.7.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:infosphere_information_server:11.7.1.6:*:*:*:*:*:*:*"]}], "descriptions": [{"lang": "en", "value": "IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable due to Insecure Direct Object Reference (IDOR).", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable due to Insecure Direct Object Reference (IDOR).</p>"}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7266723", "tags": ["vendor-advisory", "patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 5.7, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}}], "solutions": [{"lang": "en", "value": "ProductVersion(s)APARRemediationIBM InfoSphere Information Server11.7.0.0 to 11.7.1.6 DT458648 https://www.ibm.com/mysupport/s/defect/aCIgJ0000008daT/dt458648 --Apply IBM InfoSphere Information Server version\u00a0 11.7.1.0 https://www.ibm.com/support/pages/node/878310 \u00a0\n--Apply IBM InfoSphere Information Server version\u00a0 11.7.1.6 https://www.ibm.com/support/pages/node/7182872 \n\n--Apply IBM InfoSphere Information Server\u00a0 11.7.1.6 Service pack 2 https://www.ibm.com/support/pages/node/7260779", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<table><tbody><tr><td>Product</td><td>Version(s)</td><td>APAR</td><td>Remediation</td></tr><tr><td>IBM InfoSphere Information Server</td><td>11.7.0.0 to 11.7.1.6</td><td><a title=\"DT458648\" href=\"https://www.ibm.com/mysupport/s/defect/aCIgJ0000008daT/dt458648\" rel=\"nofollow\">DT458648</a></td><td>--Apply IBM InfoSphere Information Server version&nbsp;<a href=\"https://www.ibm.com/support/pages/node/878310\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">11.7.1.0</a>&nbsp;<br>--Apply IBM InfoSphere Information Server version&nbsp;<a href=\"https://www.ibm.com/support/pages/node/7182872\" rel=\"nofollow\">11.7.1.6</a><br><br>--Apply IBM InfoSphere Information Server&nbsp;<a href=\"https://www.ibm.com/support/pages/node/7260779\" rel=\"nofollow\">11.7.1.6 Service pack 2</a></td></tr></tbody></table>"}]}], "x_generator": {"engine": "ibm-cvegen"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable due to Insecure Direct Object Reference (IDOR)."}], "id": "CVE-2025-14974", "lastModified": "2026-03-25T21:16:24.737", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 3.6, "source": "psirt@us.ibm.com", "type": "Primary"}]}, "published": "2026-03-25T21:16:24.737", "references": [{"source": "psirt@us.ibm.com", "url": "https://www.ibm.com/support/pages/node/7266723"}], "sourceIdentifier": "psirt@us.ibm.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "psirt@us.ibm.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T21:25:54.606732+00:00", "value": {"mitigation_remediation": ["Apply IBM InfoSphere Information Server version\u00a011.7.1.0 (https://www.ibm.com/support/pages/node/878310)", "Apply IBM InfoSphere Information Server version\u00a011.7.1.6 (https://www.ibm.com/support/pages/node/7182872)", "Apply IBM InfoSphere Information Server\u00a011.7.1.6 Service pack\u00a02 (https://www.ibm.com/support/pages/node/7260779)", "Review and tighten access control policies to ensure that only authorized users can request and retrieve object identifiers"], "summary": {"action": "Patch Immediately", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "The vulnerability impacts IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6. Systems running any of these versions are susceptible to IDOR exploitation and should be examined for potential unauthorized access paths.", "description_and_impact": "IBM InfoSphere Information Server is affected by an Insecure Direct Object Reference (IDOR) flaw that can allow an attacker to infer or guess identifiers and access or modify objects without proper authorization. This can lead to unauthorized disclosure, tampering, or deletion of sensitive data within the system, compromising both confidentiality and integrity. The weakness corresponds to CWE\u2011639, which describes the failure to protect against direct access to protected objects.", "risk_and_exploitability": "The CVSS base score of 5.7 classifies the issue as medium severity. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog, indicating it is not known to be actively exploited at scale. The likely attack vector is via the application or web interface, where an attacker could manipulate object identifiers to reach protected resources. Exploitation requires the ability to query or browse object IDs, so attackers with network access to the application are the primary threat."}}}}, "created": "2026-03-25T21:46:11.340954+00:00", "updated": "2026-03-25T21:46:11.340995+00:00", "vendors": []}