CVE-2018-1851 — Deserialization of Untrusted Data in IBM Websphere Application Server

CWE-502 — Deserialization of Untrusted Data4 documents4 sources

Severity

9.8CRITICALNVD

CNA7.3

EPSS

3.8%

top 11.85%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

IBM Websphere Application Server

Timeline

PublishedOct 31

Latest updateMay 13

Description

IBM WebSphere Application Server Liberty OpenID Connect could allow a remote attacker to execute arbitrary code on the system, caused by improper deserialization. By sending a specially-crafted request to the RP service, an attacker could exploit this vulnerability to execute arbitrary code. IBM X-Force ID: 150999.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDibm/websphere_application_server< 18.0.0.3

▶CVEListV5ibm/websphere_application_serverLiberty

Patches

Patch: www.ibm.com ↗Patch: www.ibm.com ↗

🔴Vulnerability Details

GHSA

GHSA-mv84-hf34-fgc6: IBM WebSphere Application Server Liberty OpenID Connect could allow a remote attacker to execute arbitrary code on the system, caused by improper dese↗2022-05-13

▶

CVEList

CVE-2018-1851: IBM WebSphere Application Server Liberty OpenID Connect could allow a remote attacker to execute arbitrary code on the system, caused by improper dese↗2018-10-31

▶

💬Community

Bugzilla

CVE-2018-18511 mozilla: Cross-origin theft of images with ImageBitmapRenderingContext↗2019-02-13

▶