CVE-2025-36144 is a vulnerability identified in IBM watsonx.data version 2.2, part of the IBM Lakehouse platform. This vulnerability is classified under CWE-532, which involves the insertion of sensitive information into log files. Specifically, the product stores potentially sensitive data within its log files, which can be accessed by a local user on the system. The vulnerability arises because these logs are not properly sanitized or protected, allowing information that should remain confidential to be exposed through log file access. The CVSS v3.1 score for this vulnerability is 3.3, indicating a low severity level. The vector string (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) shows that the attack vector requires local access (AV:L), low attack complexity (AC:L), and low privileges (PR:L) but no user interaction (UI:N). The impact is limited to confidentiality (C:L), with no impact on integrity or availability. There are no known exploits in the wild, and no patches have been linked yet. This vulnerability primarily affects confidentiality by potentially exposing sensitive information to unauthorized local users who have access to the system where watsonx.data 2.2 is installed. The lack of user interaction and low complexity means that an attacker with local access and low privileges could retrieve sensitive data from logs without needing to exploit more complex attack vectors or escalate privileges.

For European organizations using IBM watsonx.data 2.2, this vulnerability poses a risk of sensitive data leakage through log files accessible to local users. While the severity is low, the exposure of sensitive information could lead to privacy violations, regulatory non-compliance (e.g., GDPR), and potential insider threats. Organizations handling critical or regulated data (such as financial, healthcare, or personal data) could face reputational damage and legal consequences if sensitive information is disclosed. The impact is mitigated by the requirement for local access and low privileges, which limits remote exploitation. However, in environments where multiple users share systems or where local access controls are weak, the risk increases. Additionally, the vulnerability could be leveraged as part of a broader attack chain, where information gathered from logs aids in further exploitation or lateral movement within the network.

European organizations should implement strict access controls on systems running IBM watsonx.data 2.2 to limit local user access only to trusted personnel. Log files should be stored with appropriate file permissions to prevent unauthorized reading. Organizations should audit and monitor log file contents regularly to detect any sensitive information leakage. Where possible, configure watsonx.data to minimize logging of sensitive data or enable log sanitization features if available. Employ host-based intrusion detection systems (HIDS) to alert on unusual access to log files. Additionally, organizations should stay updated with IBM advisories and apply patches or updates as soon as they become available. In the interim, consider isolating systems running vulnerable versions or deploying compensating controls such as encryption of log files at rest. Conduct regular security training to raise awareness about the risks of local access and data exposure through logs.