CVE-2020-4464 — Deserialization of Untrusted Data in IBM Websphere Application Server

CWE-502 — Deserialization of Untrusted Data6 documents4 sources

Severity

8.8HIGHNVD

EPSS

45.4%

top 2.38%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

IBM Websphere Application Server

Timeline

PublishedJul 17

Latest updateMay 24

Description

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional could allow a remote attacker to execute arbitrary code on a system with a specially-crafted sequence of serialized objects over the SOAP connector. IBM X-Force ID: 181489.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶NVDibm/websphere_application_server7.0.0.0 — 7.0.0.45+3

▶CVEListV5ibm/websphere_application_server4 versions+3

Patches

Patch: www.ibm.com ↗Patch: www.ibm.com ↗

🔴Vulnerability Details

GHSA

GHSA-57jh-54r4-h5x5: IBM WebSphere Application Server 7↗2022-05-24

▶

CVEList

CVE-2020-4464: IBM WebSphere Application Server 7↗2020-07-17

▶

🕵️Threat Intelligence

Trendmicro

Exploiting Other Remote Protocols in IBM WebSphere↗2020-09-29

▶

Trendmicro

Exploiting Other Remote Protocols in IBM WebSphere↗2020-09-29

▶