Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2018-1821 — XML External Entity (XXE) Injection in IBM Operational Decision Manager

CWE-611 — XML External Entity (XXE) Injection4 documents4 sources

Severity

9.1CRITICALNVD

CNA7.1

EPSS

23.8%

top 3.98%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

IBM Operational Decision Manager IBM Operational Decision Management

Timeline

PublishedDec 13

Latest updateMay 13

Description

IBM Operational Decision Management 8.5, 8.6, 8.7, 8.8, and 8.9 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 150170.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:HExploitability: 3.9 | Impact: 5.2

Affected Packages2 packages

▶CVEListV5ibm/operational_decision_management5 versions+4

▶NVDibm/operational_decision_manager8.6.0.0 — 8.6.0.3+3

🔴Vulnerability Details

GHSA

GHSA-j898-7mvf-jvmr: IBM Operational Decision Management 8↗2022-05-13

▶

CVEList

CVE-2018-1821: IBM Operational Decision Management 8↗2018-12-13

▶

💥Exploits & PoCs

Exploit-DB

IBM Operational Decision Manager 8.x - XML External Entity Injection↗2018-12-19

▶