#VU95625 Input validation error in IBM WebSphere Application Server - CVE-2024-35154


Vulnerability identifier: #VU95625

Vulnerability risk: Low

CVSSv4.0: 6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-35154

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
IBM WebSphere Application Server
Server applications / Application servers

Vendor: IBM Corporation

Description

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to insufficient validation of user-supplied input within the administrative console. A remote privileged user can send specially crafted input to the application and execute arbitrary code on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

IBM WebSphere Application Server: 8.5 - 8.5.5.25, 9.0 - 9.0.5.20

External links
https://www.ibm.com/support/pages/node/7159825

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Cloud Pak System
Multiple vulnerabilities in IBM Business Monitor
Multiple vulnerabilities in IBM Security Verify Governance - Identity Manager
Multiple vulnerabilities in IBM Tivoli Monitoring
Input validation error in IBM Jazz for Service Management
Input validation error in IBM Maximo Asset Management
Input validation error in IBM Tivoli Composite Application Manager for Application Diagnostics
Input validation error in IBM Tivoli System Automation Application Manager
Input validation error in IBM Security Guardium Key Lifecycle Manager
Input validation error in IBM Business Automation Workflow