CVE-2018-1904 — Deserialization of Untrusted Data in IBM Websphere Application Server

CWE-502 — Deserialization of Untrusted Data4 documents4 sources

Severity

9.8CRITICALNVD

CNA8.1

EPSS

0.8%

top 26.35%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

IBM Websphere Application Server

Timeline

PublishedDec 11

Latest updateMay 13

Description

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow remote attackers to execute arbitrary Java code through an administrative client class with a serialized object from untrusted sources. IBM X-Force ID: 152533.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDibm/websphere_application_server7.0.0.0 — 7.0.0.45+3

▶CVEListV5ibm/websphere_application_server4 versions+3

Patches

Patch: www-01.ibm.com ↗Patch: www-01.ibm.com ↗

🔴Vulnerability Details

GHSA

GHSA-4mxc-25gg-cmp8: IBM WebSphere Application Server 7↗2022-05-13

▶

CVEList

CVE-2018-1904: IBM WebSphere Application Server 7↗2018-12-11

▶

💬Community

Bugzilla

CVE-2017-16026 nodejs-request: Remote Memory Exposure when a multipart request is made↗2018-06-07

▶