What is CVE-2024-22354?

CVE-2024-22354 is a high-severity vulnerability in Ibm Websphere Application Server, classified under Improper Restriction of XML External Entity Reference (XXE). CVSS score: 7.0/10. Published 2024-04-17.

How severe is CVE-2024-22354?

High severity. CVSS v3 base score is 7.0 out of 10.

XXE in Ibm Websphere Application Server

CVE-2024-22354

IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.5 are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this…

Vulnerability class: XXE (XML External Entity)

EPSS: 0.000 (5.2th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.0 (High). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L.

Affected products

Ibm Websphere Application Server — versions 8.5, 9.0
Ibm Websphere Application Server Liberty — versions 17.0.0.3, cpe:2.3:a:ibm:websphere_application_server:17.0.0.3:*:*:*:liberty:*:*:*, cpe:2.3:a:ibm:websphere_application_server:24.0.0.5:*:*:*:liberty:*:*:*

Weakness classification (CWE)

CWE-611 — Improper Restriction of XML External Entity Reference (XXE)

References

www.ibm.com/support/pages/node/7148426 (vendor-advisory)
exchange.xforce.ibmcloud.com/vulnerabilities/280401 (vdb-entry)

Frequently asked questions

What is CVE-2024-22354?: CVE-2024-22354 is a high-severity vulnerability in Ibm Websphere Application Server, classified under Improper Restriction of XML External Entity Reference (XXE). CVSS score: 7.0/10. Published 2024-04-17.
How severe is CVE-2024-22354?: High severity. CVSS v3 base score is 7.0 out of 10.