Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2024-22320 — Deserialization of Untrusted Data in IBM Operational Decision Manager

CWE-502 — Deserialization of Untrusted Data5 documents5 sources

Severity

8.8HIGHNVD

CNA9.8VulnCheck9.8

EPSS

90.8%

top 0.37%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

IBM Operational Decision Manager

Timeline

PublishedFeb 2

Description

IBM Operational Decision Manager 8.10.3 could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization. By sending specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code in the context of SYSTEM. IBM X-Force ID: 279146.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5ibm/operational_decision_manager8.10.3

▶NVDibm/operational_decision_manager6 versions+5

Patches

Patch: www.ibm.com ↗Patch: www.ibm.com ↗

🔴Vulnerability Details

GHSA

GHSA-5pq5-cp3w-7chj: IBM Operational Decision Manager 8↗2024-02-02

▶

CVEList

IBM Operational Decision Manager code execution↗2024-02-02

▶

VulnCheck

IBM operational_decision_manager Deserialization of Untrusted Data↗2024

▶

💥Exploits & PoCs

Nuclei

IBM Operational Decision Manager - Java Deserialization

▶