CVE-2024-22354

Summary

IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.5 are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information, consume memory resources, or to conduct a server-side request forgery attack. IBM X-Force ID: 280401.

Affected Software

VendorProductVersion RangeStatus
IBMWebSphere Application Server8.5, 9.0affected
IBMWebSphere Application Server Liberty17.0.0.3 <= 24.0.0.5affected
IBMWebSphere Application Server Libertycpe:2.3:a:ibm:websphere_application_server:17.0.0.3:*:*:*:liberty:*:*:*affected
IBMWebSphere Application Server Libertycpe:2.3:a:ibm:websphere_application_server:24.0.0.5:*:*:*:liberty:*:*:*affected

Weaknesses

  • CWE-611: CWE-611 Improper Restriction of XML External Entity Reference

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References