IBM Robotic Process Automation

IBM RPA/Cloud Pak Session Invalidation Failure 21.0-23.0
CVE-2024-49825 4.3 - Medium - April 14, 2025

IBM Robotic Process Automation and Robotic Process Automation for Cloud Pak 21.0.0 through 21.0.7.20 and 23.0.0 through 23.0.20 does not invalidate session after a logout which could allow an authenticated user to impersonate another user on the system.

Insufficient Session Expiration

IBM RPA 21.023.0 Privilege Escalation via Clientside Validation
CVE-2024-49824 6.5 - Medium - January 18, 2025

IBM Robotic Process Automation 21.0.0 through 21.0.7.18 and 23.0.0 through 23.0.18 and IBM Robotic Process Automation for Cloud Pak 21.0.0 through 21.0.7.18 and 23.0.0 through 23.0.18 could allow an authenticated user to perform unauthorized actions as a privileged user due to improper validation of client-side security enforcement.

Client-Side Enforcement of Server-Side Security

Local Privilege Escalation in IBM RPA 21-23 via nssm.exe
CVE-2024-51448 6.7 - Medium - January 18, 2025

IBM Robotic Process Automation 21.0.0 through 21.0.7.17 and 23.0.0 through 23.0.18 could allow a local user to escalate their privileges. All files in the install inherit the file permissions of the parent directory and therefore a non-privileged user can substitute any executable for the nssm.exe service. A subsequent service or server restart will then run that binary with administrator privilege.

Incorrect Permission Assignment for Critical Resource

IBM RPA <21.0.0-21.0.7.19,23.0.0-23.0.19: Remote Crypto-Analytic Data Exposure
CVE-2024-51456 5.9 - Medium - January 12, 2025

IBM Robotic Process Automation 21.0.0 through 21.0.7.19 and 23.0.0 through 23.0.19 could allow a remote attacker to obtain sensitive data that may be exposed through certain crypto-analytic attacks.

Use of a Broken or Risky Cryptographic Algorithm

IBM RPAutomation 21.0.x: Credential Disclosure
CVE-2022-33954 4.6 - Medium - December 19, 2024

IBM Robotic Process Automation 21.0.1, 21.0.2, and 21.0.3 could allow a user with psychical access to the system to obtain sensitive information due to insufficiently protected credentials.

Insufficiently Protected Credentials

IBM RPA 21.0.2 Cross-Tenant User ID Leakage
CVE-2022-22506 4.6 - Medium - February 12, 2024

IBM Robotic Process Automation 21.0.2 contains a vulnerability that could allow user ids may be exposed across tenants. IBM X-Force ID: 227293.

IBM RPA <= v23.0.10: Client Vault Credential Leak
CVE-2023-45189 6.5 - Medium - November 03, 2023

A vulnerability in IBM Robotic Process Automation and IBM Robotic Process Automation for Cloud Pak 21.0.0 through 21.0.7.10, 23.0.0 through 23.0.10 may result in access to client vault credentials. This difficult to exploit vulnerability could allow a low privileged attacker to programmatically access client vault credentials. IBM X-Force ID: 268752.

IBM RPA 23.0.9 Priv Escalation via Project Ownership
CVE-2023-43058 9.8 - Critical - October 06, 2023

IBM Robotic Process Automation 23.0.9 is vulnerable to privilege escalation that affects ownership of projects. IBM X-Force ID: 247527.

IBM RPA 21.x Info Disclosure via Script Access Before 21.0.7.8
CVE-2023-38718 5.3 - Medium - September 20, 2023

IBM Robotic Process Automation 21.0.0 through 21.0.7.8 could disclose sensitive information from access to RPA scripts, workflows and related data. IBM X-Force ID: 261606.

IBM RPA 21.0.0-23.0.1 Authenticated Log Disclosure
CVE-2023-38733 4.3 - Medium - August 22, 2023

IBM Robotic Process Automation 21.0.0 through 21.0.7.1 and 23.0.0 through 23.0.1 server could allow an authenticated user to view sensitive information from installation logs. IBM X-Force Id: 262293.

Insertion of Sensitive Information into Log File

IBM RPA 21.0.0-7.1 Info Disclosure via REST Policy
CVE-2023-40370 5.3 - Medium - August 22, 2023

IBM Robotic Process Automation 21.0.0 through 21.0.7.1 runtime is vulnerable to information disclosure of script content if the remote REST request computer policy is enabled. IBM X-Force ID: 263470.

Authenticated Log Disclosure in IBM RPA 21.0.0-21.0.7
CVE-2023-38732 4.3 - Medium - August 22, 2023

IBM Robotic Process Automation 21.0.0 through 21.0.7 server could allow an authenticated user to view sensitive information from application logs. IBM X-Force ID: 262289.

Insertion of Sensitive Information into Log File

IBM RPA 21.0.021.0.7 API Route Unauthorized Access
CVE-2023-23476 6.5 - Medium - August 02, 2023

IBM Robotic Process Automation 21.0.0 through 21.0.7.latest is vulnerable to unauthorized access to data due to insufficient authorization validation on some API routes. IBM X-Force ID: 245425.

AuthZ

IBM RPA 21.x-21.0.7.6 & 23.x-23.0.6 Client-Side Validation Bypass
CVE-2023-35901 5.3 - Medium - July 17, 2023

IBM Robotic Process Automation 21.0.0 through 21.0.7.6 and 23.0.0 through 23.0.6 is vulnerable to client side validation bypass which could allow invalid changes or values in some fields. IBM X-Force ID: 259380.

authentification

IBM RPA Cloud Pak 21.0.1-23.0.3 Redis Config Privilege Escalation
CVE-2023-22593 7.8 - High - June 27, 2023

IBM Robotic Process Automation for Cloud Pak 21.0.1 through 21.0.7.3 and 23.0.0 through 23.0.3 is vulnerable to security misconfiguration of the Redis container which may provide elevated privileges. IBM X-Force ID: 244074.

IBM RPA 21.0.121.0.7/23.0.023.0.1 Sess Token Persistence PostReset
CVE-2023-22591 3.2 - Low - March 15, 2023

IBM Robotic Process Automation 21.0.1 through 21.0.7 and 23.0.0 through 23.0.1 could allow a user with physical access to the system due to session tokens for not being invalidated after a password reset. IBM X-Force ID: 243710.

Insufficient Session Expiration

IBM RPA 21.0.15 Credential Leak in Queue Provider Config
CVE-2023-25680 6.5 - Medium - March 15, 2023

IBM Robotic Process Automation 21.0.1 through 21.0.5 is vulnerable to insufficiently protecting credentials. Queue Provider credentials are not obfuscated while editing queue provider details. IBM X-Force ID: 247032.

IBM RPA Client-Side Validation Bypass v21.0.0-21.0.7 & 23.0.0
CVE-2022-46773 6.5 - Medium - March 15, 2023

IBM Robotic Process Automation 21.0.0 - 21.0.7 and 23.0.0 is vulnerable to client-side validation bypass for credential pools. Invalid credential pools may be created as a result. IBM X-Force ID: 242951.

authentification

IBM RPA 20.12.0-21.0.2 HTTP default in URL prefixes allows MitM
CVE-2023-22863 5.9 - Medium - January 18, 2023

IBM Robotic Process Automation 20.12.0 through 21.0.2 defaults to HTTP in some RPA commands when the prefix is not explicitly specified in the URL. This could allow an attacker to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 244109.

Cleartext Transmission of Sensitive Information

IBM RPA for Cloud Pak 21.0.121.0.4: Local Permission Bypass
CVE-2023-22592 7.8 - High - January 18, 2023

IBM Robotic Process Automation for Cloud Pak 21.0.1 through 21.0.4 could allow a local user to perform unauthorized actions due to insufficient permission settings. IBM X-Force ID: 244073.

Incorrect Permission Assignment for Critical Resource

IBM RPA 20.12-21.0.6 Memory Info Disclosure via Physical Access
CVE-2022-41740 4.6 - Medium - January 05, 2023

IBM Robotic Process Automation 20.12 through 21.0.6 could allow an attacker with physical access to the system to obtain highly sensitive information from system memory. IBM X-Force ID: 238053.

Cleartext Storage of Sensitive Information

IBM RPA 20.12-21.0.6 Disclosure of Creator/Mod Email Names
CVE-2022-43573 5.3 - Medium - January 05, 2023

IBM Robotic Process Automation 20.12 through 21.0.6 is vulnerable to exposure of the name and email for the creator/modifier of platform level objects. IBM X-Force ID: 238678.

Information Disclosure

IBM RPA 21.0.1/21.0.2 Info Disclosure to Unauthorized Control Sphere
CVE-2022-38710 5.3 - Medium - November 03, 2022

IBM Robotic Process Automation 21.0.1 and 21.0.2 could disclose sensitive version to an unauthorized control sphere information that could aid in further attacks against the system. IBM X-Force ID: 234292.

Exposure of Sensitive System Information to an Unauthorized Control Sphere

IBM RPA 21.x Incorrect Permission Assignment Allow Config Access
CVE-2022-43574 7.5 - High - November 03, 2022

"IBM Robotic Process Automation 21.0.1, 21.0.2, 21.0.3, 21.0.4, and 21.0.5 is vulnerable to incorrect permission assignment which could allow access to application configurations. IBM X-Force ID: 238679."

Incorrect Default Permissions

IBM RPA Cloud Pak 21.0.x XSS in Web UI
CVE-2022-38709 6.1 - Medium - October 06, 2022

IBM Robotic Process Automation 21.0.1, 21.0.2, and 21.0.3 for Cloud Pak is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 234291.

XSS

IBM RPA 21.0.x CORS Misconfiguration via Bot API (CVE-2022-41294)
CVE-2022-41294 6.5 - Medium - October 06, 2022

IBM Robotic Process Automation 21.0.0, 21.0.1, 21.0.2, 21.0.3, and 21.0.4 is vulnerable to cross origin resource sharing using the bot api. IBM X-Force ID: 236807.

Origin Validation Error

IBM RPA 21.0.x MI-M via Proxy Config Manipulation
CVE-2022-36774 5.3 - Medium - October 06, 2022

IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 is vulnerable to man in the middle attacks through manipulation of the client proxy configuration. IBM X-Force ID: 233575.

IBM RPA 21.0.0 Click Hijack via Malicious Web Site
CVE-2022-22503 6.1 - Medium - October 06, 2022

IBM Robotic Process Automation 21.0.0 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. IBM X-Force ID: 227125.

Clickjacking

IBM RPC: Proxy Credentials Leaked in Upgrade Logs
CVE-2022-39168 7.5 - High - September 29, 2022

IBM Robotic Process Automation Clients are vulnerable to proxy credentials being exposed in upgrade logs. IBM X-Force ID: 235422.

Insufficiently Protected Credentials

IBM RPA Weak Password Enforcement 21.0.021.0.2 Enables Credential Compromise
CVE-2022-35280 9.8 - Critical - August 10, 2022

IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. IBM X-Force ID: 230634.

Weak Password Requirements

IBM RPA 21.0.021.0.2 Privileged User Azure Bot Credential Leak
CVE-2022-22490 4.9 - Medium - August 10, 2022

IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 could allow a privileged user to obtain sensitive Azure bot credential information. IBM X-Force ID: 226342.

Files or Directories Accessible to External Parties

IBM RPA 21.0.0-21.0.2 Credential Leak via Bulk Upload
CVE-2022-33169 6.5 - Medium - August 01, 2022

IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 is vulnerable to insufficiently protected credentials for users created via a bulk upload. IBM X-Force ID: 228888.

Insufficiently Protected Credentials

IBM RPA 21.0.x Improper Privilege Mgmt Allows Sensitive Data Disclosure
CVE-2022-34338 6.5 - Medium - August 01, 2022

IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 could disclose sensitive information due to improper privilege management for storage provider types. IBM X-Force ID: 229962.

Improper Privilege Management

IBM RPA 21.x Tenant Data Leakage (CVE-2022-22334)
CVE-2022-22334 4.3 - Medium - August 01, 2022

IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 could allow a user to access information from a tenant of which they should not have access. IBM X-Force ID: 219391.

IBM RPA 21.0.0-21.0.2 CVE-2022-22505: Credentials Exposure
CVE-2022-22505 7.5 - High - August 01, 2022

IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 contains a vulnerability that could allow IBM tenant credentials to be exposed. IBM X-Force ID: 227288.

IBM RPA 21.x Privilege Escalation via API Manip in 21.0.0-21.0.2
CVE-2022-30616 7.2 - High - August 01, 2022

IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 could allow a privileged user to elevate their privilege to platform administrator through manipulation of APIs. IBM X-Force ID: 227978.

IBM RPA login token leak 21.0.021.0.2 localhost auth bypass
CVE-2022-22412 4.6 - Medium - July 26, 2022

IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 could allow a user with access to the local host (client machine) to obtain a login access token. IBM X-Force ID: 223019.

IBM Robotic Process Automation 21.0.1 and 21.0.2 is vulnerable to cross-site scripting
CVE-2022-22502 5.4 - Medium - June 24, 2022

IBM Robotic Process Automation 21.0.1 and 21.0.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 227124.

XSS

IBM Robotic Process Automation 21.0.1 and 21.0.2 could
CVE-2022-33953 4.6 - Medium - June 24, 2022

IBM Robotic Process Automation 21.0.1 and 21.0.2 could allow a user with psychical access to the system to obtain sensitive information due to insufficiently protected access tokens. IBM X-Force ID: 229198.

Insufficiently Protected Credentials

IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 is vulnerable to SQL injection
CVE-2022-22413 9.8 - Critical - May 12, 2022

IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 223022.

SQL Injection