CVE-2025-36058

Description

IBM Business Automation Workflow containers 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 006. IBM Cloud Pak for Business Automation and IBM Business Automation Workflow containers may disclose sensitve configuration information in a config map.

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:ibm:business_automation_workflow:24.0.0:-:*:*:containers:*:*:* - VULNERABLE

cpe:2.3:a:ibm:business_automation_workflow:24.0.0:if001:*:*:containers:*:*:* - VULNERABLE

cpe:2.3:a:ibm:business_automation_workflow:24.0.0:if002:*:*:containers:*:*:* - VULNERABLE

cpe:2.3:a:ibm:business_automation_workflow:24.0.0:if003:*:*:containers:*:*:* - VULNERABLE

cpe:2.3:a:ibm:business_automation_workflow:24.0.0:if004:*:*:containers:*:*:* - VULNERABLE

IBM Business Automation Workflow containers 25.0.0 < IF002

IBM Business Automation Workflow containers 24.0.1 < IF005

IBM Business Automation Workflow containers 24.0.0 < IF006

IBM Cloud Pak for Business Automation (all affected BAW versions)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-36058 PoC - ConfigMap Sensitive Information Disclosure
# Target: IBM Business Automation Workflow containers
# Environment: Kubernetes/OpenShift cluster with affected IBM BAW versions

import requests
import json
import sys

def check_configmap_sensitive_info(namespace="ibm-baw", configmap_name=""):
    """
    Check if ConfigMap contains sensitive configuration information
    that should not be exposed.
    """
    # Common ConfigMap names in IBM BAW deployments
    common_configmaps = [
        "baw-config",
        "baw-icp-config",
        "baw-secrets",
        "baw-credentials",
        "icp-baw-config",
        "workflow-config"
    ]
    
    # Sensitive keywords to look for in ConfigMap data
    sensitive_keywords = [
        "password", "secret", "key", "token", "credential",
        "api_key", "apikey", "auth", "private", "certificate"
    ]
    
    if not configmap_name:
        configmap_names = common_configmaps
    else:
        configmap_names = [configmap_name]
    
    print(f"[*] Scanning namespace: {namespace}")
    print(f"[*] Target ConfigMaps: {configmap_names}")
    
    # Simulate API call to get ConfigMap
    # In real attack, use: kubectl get configmap <name> -n <namespace> -o json
    # Or: GET /api/v1/namespaces/{namespace}/configmaps/{name}
    
    for cm_name in configmap_names:
        print(f"\n[?] Checking ConfigMap: {cm_name}")
        
        # Example API request structure
        api_url = f"https://<k8s-api-server>/api/v1/namespaces/{namespace}/configmaps/{cm_name}"
        headers = {
            "Authorization": "Bearer <service-account-token>"
        }
        
        # In vulnerable versions, this request may succeed with low privileges
        # and return sensitive configuration data
        
        # Check for sensitive data patterns
        # configmap_data = response.json().get('data', {})
        # for key, value in configmap_data.items():
        #     if any(kw in key.lower() for kw in sensitive_keywords):
        #         print(f"[!] Sensitive data found: {key}")
        
        pass

def verify_vulnerability(namespace="ibm-baw"):
    """
    Verify if the system is vulnerable to CVE-2025-36058
    """
    print("\n[*] Verifying CVE-2025-36058 vulnerability...")
    print("[*] Affected versions:")
    print("    - BAW 25.0.0 < IF002")
    print("    - BAW 24.0.1 < IF005")
    print("    - BAW 24.0.0 < IF006")
    print("[*] CVSS Score: 5.5 (Medium)")
    print("[*] Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N")

if __name__ == "__main__":
    verify_vulnerability()
    check_configmap_sensitive_info()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-36058
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-36058
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-36058/
[4] VulDB https://vuldb.com/cve/CVE-2025-36058
[5] https://www.ibm.com/support/pages/node/7256777

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-36058", "sourceIdentifier": "[email protected]", "published": "2026-01-20T16:16:02.743", "lastModified": "2026-02-17T17:29:28.760", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "IBM Business Automation Workflow containers 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 006. IBM Cloud Pak for Business Automation and IBM Business Automation Workflow containers may disclose sensitve configuration information in a config map."}, {"lang": "es", "value": "Contenedores de IBM Business Automation Workflow 25.0.0 hasta 25.0.0 Interim Fix 002, 24.0.1 hasta 24.0.1 Interim Fix 005, y 24.0.0 hasta 24.0.0 Interim Fix 006. Los contenedores de IBM Cloud Pak para Business Automation e IBM Business Automation Workflow pueden divulgar información de configuración sensible en un config map."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-538"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ibm:business_automation_workflow:24.0.0:-:*:*:containers:*:*:*", "matchCriteriaId": "EF29B7C7-5024-4A85-ADE5-D94E9002181D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:business_automation_workflow:24.0.0:if001:*:*:containers:*:*:*", "matchCriteriaId": "8464D4F4-1F9A-479B-B689-C6E90BC3AF45"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:business_automation_workflow:24.0.0:if002:*:*:containers:*:*:*", "matchCriteriaId": "0FE0DB1D-5728-4075-BE84-48F06E22FDF5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:business_automation_workflow:24.0.0:if003:*:*:containers:*:*:*", "matchCriteriaId": "A4AB37B4-DF91-4DC7-AFB9-107E5B1B2BF6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:business_automation_workflow:24.0.0:if004:*:*:containers:*:*:*", "matchCriteriaId": "79318EB6-001D-4D75-952C-87297C90A0C8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:business_automation_workflow:24.0.0:if005:*:*:containers:*:*:*", "matchCriteriaId": "38F4B5AC-AC9D-48E7-9EC8-48C086CC62A6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:business_automation_workflow:24.0.0:if006:*:*:containers:*:*:*", "matchCriteriaId": "73BAD8DC-3081-4D07-8E65-7501351DE025"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:business_automation_workflow:24.0.1:-:*:*:containers:*:*:*", "matchCriteriaId": "D5D9EC44-05CE-44FA-AFDE-A4FA326A54F7"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:business_automation_workflow:24.0.1:if001:*:*:containers:*:*:*", "matchCriteriaId": "AD2EC4AD-EF47-450F-AA73-8BEE3DADEA1A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:business_automation_workflow:24.0.1:if002:*:*:containers:*:*:*", "matchCriteriaId": "0CFCCD13-9342-4D3D-BE9C-ABCA4EA27229"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:business_automation_workflow:24.0.1:if004:*:*:containers:*:*:*", "matchCriteriaId": "5797C332-AE9A-40BF-BAA4-7ECDDEAA907C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:business_automation_workflow:24.0.1:if005:*:*:containers:*:*:*", "matchCriteriaId": "D0F5EB0D-CAF6-45BC-967B-472F1C2833D9"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:business_automation_workflow:25.0.0:-:*:*:containers:*:*:*", "matchCriteriaId": "3058E645-44E1-4FF0-9A97-E04324BB8968"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:business_automation_workflow:25.0.0:if001:*:*:containers:*:*:*", "matchCriteriaId": "0E06ACEC-AC03-41AA-91C7-BA84457847A7"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:business_automation_workflow:25.0.0:if002:*:*:containers:*:*:*", "matchCriteriaId": "6AD427CB-B553-4ACB-B2A3-1648848D6D09"}]}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7256777", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}