Vendor
International Business Machines Corporation, doing business as IBM, is an American multinational technology company headquartered in Armonk, New York, and present in over 175 countries. It is a publicly traded company and one of the 30 companies in the Dow Jones Industrial Average. IBM is the largest industrial research organization in the world, with 19 research facilities across a dozen countries; for 29 consecutive years, from 1993 to 2021, it held the record for most annual U.S. patents generated by a business.
Founded 1911
Products
829
CVEs
3,862
Across products
43,516
Status
Private
Products
829- 8,436 CVEs
- 2,264 CVEs
- 1,406 CVEs
- 1,253 CVEs
- 1,243 CVEs
- 1,200 CVEs
- 1,090 CVEs
- 961 CVEs
- 945 CVEs
- 772 CVEs
- 707 CVEs
- 630 CVEs
- 593 CVEs
- 545 CVEs
- 541 CVEs
- 537 CVEs
- 526 CVEs
- 463 CVEs
- 462 CVEs
- 457 CVEs
- 435 CVEs
- 423 CVEs
- 389 CVEs
- 361 CVEs
- 360 CVEs
- 358 CVEs
- 328 CVEs
- 322 CVEs
- 307 CVEs
- 303 CVEs
- + 799 more — see CVE list below for full coverage.
Recent CVEs
3,862| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2015-7450 | Cri | 0.86 | 9.8 | 0.93 | KEV | Jan 2, 2016 | Serialized-object interfaces in certain IBM analytics, business solutions, cognitive, IT infrastructure, and mobile and social products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the InvokerTransformer class in the Apache Commons Collections library. |
| CVE-2014-7169 | Cri | 0.86 | 9.8 | 0.89 | KEV | Sep 25, 2014 | GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271. |
| CVE-2014-6271 | Cri | 0.86 | 9.8 | 0.94 | KEV | Sep 24, 2014 | GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. |
| CVE-2017-5638 | Cri | 0.85 | 9.8 | 0.94 | KEV | Mar 11, 2017 | The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string. |
| CVE-2017-1092 | Cri | 0.73 | 9.8 | 0.82 | May 22, 2017 | IBM Informix Open Admin Tool 11.5, 11.7, and 12.1 could allow an unauthorized user to execute arbitrary code as system admin on Windows servers. IBM X-Force ID: 120390. | |
| CVE-2016-8938 | Cri | 0.65 | 10.0 | 0.01 | Feb 1, 2017 | IBM UrbanCode Deploy could allow a user to execute code using a specially crafted file upload that would replace code on the server. This code could be executed on the UCD agent machines that host customer's production applications. | |
| CVE-2015-7426 | Cri | 0.65 | 10.0 | 0.03 | Jan 2, 2016 | The Data Protection extension in the VMware GUI in IBM Tivoli Storage Manager for Virtual Environments: Data Protection for VMware (aka Spectrum Protect for Virtual Environments) 7.1 before 7.1.3.0 and Tivoli Storage FlashCopy Manager for VMware (aka Spectrum Protect Snapshot) 4.1 before 4.1.3.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors. | |
| CVE-2017-1710 | Cri | 0.64 | 9.8 | 0.04 | Nov 13, 2017 | A vulnerability in the Service Assistant GUI in IBM Storwize V7000 (2076) 8.1 could allow a remote attacker to perform a privilege escalation. IBM X-Force ID: 134531. | |
| CVE-2017-1221 | Cri | 0.64 | 9.8 | 0.00 | Nov 13, 2017 | IBM Tivoli Endpoint Manager (IBM BigFix 9.2 and 9.5) does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. IBM X-Force ID: 123861. | |
| CVE-2017-1376 | Cri | 0.64 | 9.8 | 0.01 | Aug 29, 2017 | A flaw in the IBM J9 VM class verifier allows untrusted code to disable the security manager and elevate its privileges. IBM X-Force ID: 126873. | |
| CVE-2017-1253 | Cri | 0.64 | 9.9 | 0.01 | Jul 5, 2017 | IBM Security Guardium 10.0 could allow a remote authenticated attacker to execute arbitrary commands on the system. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system. IBM X-Force ID: 124633. | |
| CVE-2017-1175 | Cri | 0.64 | 9.8 | 0.01 | Jul 5, 2017 | IBM Maximo Asset Management 7.1, 7.5, and 7.6 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 123297. | |
| CVE-2017-1269 | Cri | 0.64 | 9.8 | 0.01 | Jul 5, 2017 | IBM Security Guardium 10.0 and 10.1 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-force ID: 124744 | |
| CVE-2017-1197 | Cri | 0.64 | 9.8 | 0.00 | Jun 15, 2017 | IBM BigFix Compliance (TEMA SUAv1 SCA SCM) uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 123672. | |
| CVE-2017-1196 | Cri | 0.64 | 9.8 | 0.00 | Jun 7, 2017 | IBM BigFix Compliance (TEMA SUAv1 SCA SCM) 1.9.70 does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. IBM X-Force ID: 123671. | |
| CVE-2016-9005 | Cri | 0.64 | 9.8 | 0.01 | Feb 8, 2017 | IBM System Storage TS3100-TS3200 Tape Library could allow an unauthenticated user with access to the company network, to change a user's password and gain remote access to the system. | |
| CVE-2016-8954 | Cri | 0.64 | 9.8 | 0.01 | Feb 8, 2017 | IBM dashDB Local uses hard-coded credentials that could allow a remote attacker to gain access to the Docker container or database. | |
| CVE-2016-6095 | Cri | 0.64 | 9.8 | 0.00 | Feb 2, 2017 | IBM Tivoli Key Lifecycle Manager 2.5 and 2.6 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. | |
| CVE-2016-6090 | Cri | 0.64 | 9.8 | 0.01 | Feb 1, 2017 | IBM WebSphere Commerce contains an unspecified vulnerability that could allow disclosure of user personal data, performing of unauthorized administrative operations, and potentially causing a denial of service. | |
| CVE-2016-5964 | Cri | 0.64 | 9.8 | 0.00 | Feb 1, 2017 | IBM Security Privileged Identity Manager Virtual Appliance version 2.0.2 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. |