VYPR
← All advisories
Medium severity6.1NVD Advisory· Published Mar 10, 2026· Updated May 6, 2026

CVE-2025-36173

CVE-2025-36173

Description

Affected Product(s)Version(s)InfoSphere Data Architect9.2.1

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

InfoSphere Data Architect 9.2.1 is vulnerable to multiple Server-Side Request Forgery (SSRF) flaws via the embedded Apache Batik library, allowing remote attackers to read files or send requests to internal resources.

Vulnerability

Overview InfoSphere Data Architect (IDA) 9.2.1 includes Apache Batik version 1.14, which contains multiple Server-Side Request Forgery (SSRF) vulnerabilities. These flaws, tracked as CVE-2022-38398, CVE-2022-38648, CVE-2022-40146, CVE-2022-44729, and CVE-2022-44730, allow an attacker to load external resources via the jar protocol or probe internal data through malicious SVG files [1].

Exploitation

Conditions An attacker can exploit these vulnerabilities by supplying a specially crafted SVG file to the Batik library. No authentication is required, and the attack can be performed over the network. The SVG may trigger Batik to make requests to arbitrary URLs, including internal systems, or read local files using the jar protocol [1].

Potential

Impact Successful exploitation could lead to information disclosure, such as reading sensitive files or probing internal network services. The CVSS v3 base scores range from 5.3 to 7.5, reflecting varying impacts including high confidentiality impact in some cases [1].

Mitigation

IBM has addressed these issues in a security update. Users are advised to apply the fix provided in the advisory to upgrade Batik to a non-vulnerable version [1].

References
  1. InfoSphere Data Architect (IDA) 9.2.1 Vulnerability Fixes.

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • IBM/Infosphere Data Architect2 versions
    cpe:2.3:a:ibm:infosphere_data_architect:9.2.1:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:ibm:infosphere_data_architect:9.2.1:*:*:*:*:*:*:*
    • (no CPE)range: = 9.2.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.