CVE-2024-22354

CWE-611 — XML External Entity (XXE)3 documents3 sources

Severity

7.0HIGH

EPSS

0.0%

top 95.17%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

IBM Websphere Application Server IBM Websphere Application Server Liberty

Timeline

PublishedApr 17

Description

IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.5 are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information, consume memory resources, or to conduct a server-side request forgery attack. IBM X-Force ID: 280401.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:LExploitability: 2.2 | Impact: 4.7

Affected Packages3 packages

▶CVEListV5ibm/websphere_application_server_liberty17.0.0.3 — 24.0.0.5+2

▶NVDibm/websphere_application_server8.5.0.0 — 8.5.5.26+2

▶CVEListV5ibm/websphere_application_server8.5, 9.0

🔴Vulnerability Details

CVEList

IBM WebSphere Application Server XML external entity injection↗2024-04-17

▶

GHSA

GHSA-cxq5-8mc6-xprf: IBM WebSphere Application Server 8↗2024-04-17

▶