Description
IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 does not invalidate a session after privileges have been modified which could allow an authenticated user to retain access to sensitive information. CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CWE: CWE-613: Insufficient Session Expiration CVSS Source: IBM CVSS Base score: 6.3 CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)
Published: 2026-03-25
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Persistent unauthorized access after privilege change
Action: Apply Patch
AI Analysis

Impact

IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 do not invalidate a user session after privileges have been changed. If an authenticated user gains higher privileges, the existing session remains active, allowing continued access to data that should no longer be reachable. This weakness is classified as CWE‑613 (Insufficient Session Expiration) and can lead to unauthorized retention of sensitive information.

Affected Systems

The vulnerability applies to IBM InfoSphere Information Server deployed on IBM AIX, Linux, and Microsoft Windows operating systems. All component versions from 11.7.0.0 up to and including 11.7.1.6 are affected. The vendor recommends applying the available product updates: IBM InfoSphere Information Server 11.7.1.0, 11.7.1.6, or the 11.7.1.6 Service Pack 2, depending on the environment.

Risk and Exploitability

The CVSS v3.1 score of 6.3 indicates medium severity; network access is required but no user interaction is needed, with low attack complexity and low required privileges. The EPSS probability is below 1%, and the vulnerability is not listed in the CISA KEV catalog, suggesting current exploitation is uncommon. Still, because the issue allows an authenticated user to maintain elevated access, it poses a significant risk in environments where credential compromise or privilege escalation is feasible.

Generated by OpenCVE AI on March 26, 2026 at 19:52 UTC.

Remediation

Vendor Solution

ProductVersion(s)APARRemediationIBM InfoSphere Information Server11.7.0.0 to 11.7.1.6 DT458476 https://www.ibm.com/mysupport/s/defect/aCIgJ0000008Z73/dt458476 --Apply IBM InfoSphere Information Server version  11.7.1.0 https://www.ibm.com/support/pages/node/878310   --Apply IBM InfoSphere Information Server version  11.7.1.6 https://www.ibm.com/support/pages/node/7182872 --Apply IBM InfoSphere Information Server  11.7.1.6 Service pack 2 https://www.ibm.com/support/pages/node/7260779

OpenCVE Recommended Actions

  • Apply IBM InfoSphere Information Server 11.7.1.6 or later to replace the affected version
  • If 11.7.1.6 is not available, apply IBM InfoSphere Information Server 11.7.1.0 following IBM's patch instructions
  • Apply the 11.7.1.6 Service Pack 2 update for additional security enhancements
  • Verify the operating system platform and ensure that the selected update is compatible with your deployment environment

Generated by OpenCVE AI on March 26, 2026 at 19:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Ibm aix
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:ibm:infosphere_information_server:*:*:*:*:*:*:*:*
cpe:2.3:o:ibm:aix:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Ibm aix
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Thu, 26 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 does not invalidate a session after privileges have been modified which could allow an authenticated user to retain access to sensitive information. CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CWE: CWE-613: Insufficient Session Expiration CVSS Source: IBM CVSS Base score: 6.3 CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)
Title IBM InfoSphere Information Server is vulnerable due to insufficient session expiration
First Time appeared Ibm
Ibm infosphere Information Server
Weaknesses CWE-613
CPEs cpe:2.3:a:ibm:infosphere_information_server:11.7.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:infosphere_information_server:11.7.1.6:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm infosphere Information Server
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Ibm Aix Infosphere Information Server
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-03-26T17:51:17.562Z

Reserved: 2025-12-16T22:58:57.497Z

Link: CVE-2025-14810

cve-icon Vulnrichment

Updated: 2026-03-26T17:49:51.943Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T21:16:23.997

Modified: 2026-03-26T18:22:50.440

Link: CVE-2025-14810

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:29:49Z

Weaknesses