⚠ Actively exploited
Added to CISA KEV on 2021-11-03. Federal agencies required to patch by 2022-05-03. Required action: Apply updates per vendor instructions..

CVE-2020-4428

CWE-78OS Command InjectionCWE-94Code Injection7 documents7 sources
Severity
9.1CRITICAL
EPSS
92.3%
top 0.28%
CISA KEV
KEV
Added 2021-11-03
Due 2022-05-03
Exploit
Exploited in wild
Active exploitation observed
Affected products
1
IBM Data Risk Manager
Timeline
PublishedMay 7
KEV addedNov 3
KEV dueMay 3
Latest updateJun 3
CISA Required Action: Apply updates per vendor instructions.

Description

IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, and 2.0.4 could allow a remote authenticated attacker to execute arbitrary commands on the system. IBM X-Force ID: 180533.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:HExploitability: 2.3 | Impact: 6.0

Affected Packages2 packages

NVDibm/data_risk_manager2.0.12.0.4
CVEListV5ibm/data_risk_manager6 versions+5

Patches

Patch: www.ibm.comPatch: www.ibm.com

🔴Vulnerability Details

4
GHSA
Hibernate Validator may interpolate user-supplied input in a constraint violation message with Expression Language2025-06-03
GHSA
GHSA-r3v6-c98w-p4j5: IBM Data Risk Manager 22022-05-24
CVEList
CVE-2020-4428: IBM Data Risk Manager 22020-05-07
VulnCheck
IBM Data Risk Manager Remote Code Execution Vulnerability2020

📋Vendor Advisories

2
Red Hat
hibernate-validator: Hibernate Validator Expression Language Injection2025-06-03
CISA
IBM Data Risk Manager Remote Code Execution Vulnerability2021-11-03
CVE-2020-4428 (CRITICAL CVSS 9.1) | IBM Data Risk Manager 2.0.1 | cvebase.io