CVE-2025-36139
📋 TL;DR
IBM Lakehouse (watsonx.data 2.2) contains a stored cross-site scripting vulnerability that allows privileged users to inject malicious JavaScript into the web interface. This could enable attackers to steal credentials or manipulate user sessions within trusted environments. Only authenticated privileged users can exploit this vulnerability.
💻 Affected Systems
- IBM Lakehouse
- IBM watsonx.data
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Privileged attacker steals administrator credentials, gains full system access, and compromises the entire watsonx.data environment and connected data sources.
Likely Case
Privileged insider or compromised account injects malicious scripts to steal session cookies or credentials from other users, leading to unauthorized data access.
If Mitigated
With proper access controls and input validation, impact is limited to isolated UI manipulation without credential theft.
🎯 Exploit Status
Requires privileged user credentials; exploitation involves injecting JavaScript payloads into web UI components that persist and execute for other users.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply fix from IBM Security Bulletin
Vendor Advisory: https://www.ibm.com/support/pages/node/7245387
Restart Required: No
Instructions:
1. Review IBM Security Bulletin. 2. Apply the provided fix or upgrade to a patched version. 3. Validate the fix by testing XSS payloads in the web UI.
🔧 Temporary Workarounds
Input Validation Enhancement
allImplement additional input validation and output encoding for user-controllable data in the web UI
Privilege Reduction
allReview and minimize the number of privileged user accounts with web UI access
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution
- Monitor privileged user activities and audit all web UI modifications
🔍 How to Verify
Check if Vulnerable:
Test by attempting to inject basic XSS payloads (e.g., <script>alert('test')</script>) as a privileged user in web UI input fieldsCheck Version:
Check watsonx.data version through administration console or product documentationVerify Fix Applied:
After applying patch, test XSS payloads again to ensure they are properly sanitized and do not execute📡 Detection & Monitoring
Log Indicators:
- Unusual web UI modifications by privileged users
- JavaScript injection patterns in application logs
- Multiple failed XSS attempts
Network Indicators:
- Unexpected JavaScript payloads in HTTP requests to web UI endpoints
SIEM Query:
search 'privileged_user' AND ('script' OR 'javascript' OR 'onload' OR 'onerror') in web_access_logs