7 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L
7.3 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.1%
IBM WebSphere Application Server Liberty is vulnerable to an XML External Entity (XXE) injection vulnerability.
CVEID:CVE-2024-22354
**DESCRIPTION:**IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.3 are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information, consume memory resources, or to conduct a server-side request forgery attack. IBM X-Force ID: 280401.
CVSS Base score: 7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/280401 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L)
Affected Product(s) | Version(s) |
---|---|
Log Analysis | 1.3.5.3 |
Log Analysis | 1.3.6.0 |
Log Analysis | 1.3.6.1 |
Log Analysis | 1.3.7.0 |
Log Analysis | 1.3.7.1 |
Log Analysis | 1.3.7.2 |
Log Analysis | 1.3.8.0 |
Log Analysis | 1.3.8.1 |
Principal Product and Version(s) | Fix details |
---|---|
IBM Operations Analytics - Log Analysis version 1.3.5.3, 1.3.6.0, 1.3.6.1, 1.3.7.0, 1.3.7.1, 1.3.7.2, 1.3.8.0 and 1.3.8.1 |
1. For Log Analysis version 1.3.5.3 to 1.3.8.0, download wlp-core-all-23.0.0.12.jar and upgrade the liberty to version 23.0.0.12
2. For Log Analysis version 1.3.5.3 to 1.3.8.1, download 230012-wlp-archive-IFPH61042 and apply the interim fix PH61042 on Liberty 23.0.0.12
None
7 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L
7.3 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.1%