Security vulnerability (CVE) list

The following table lists the CVEs that affect Open Liberty, ordered by the release in which they were fixed.

CVE CVSS Score Vulnerability Assessment Versions Affected Version Fixed Notes

CVE-2020-4421

5

Identity spoofing

19.0.0.5 - 20.0.0.4

20.0.0.5

Affects the openidConnectServer-1.0 feature

CVE-2020-4329

4.3

Information disclosure

17.0.0.3 - 20.0.0.4

20.0.0.5

Affects the servlet-3.1, servlet-4.0, appSecurity-2.0, and appSecurity-3.0 features

CVE-2020-4303

6.1

Cross-site scripting

17.0.0.3 - 20.0.0.3

20.0.0.4

Affects the oauth-2.0, openidConnectClient-1.0, openidConnectServer-1.0, and samlWeb-2.0 features

CVE-2020-4304

6.1

Cross-site scripting

17.0.0.3 - 20.0.0.3

20.0.0.4

Affects the oauth-2.0, openidConnectClient-1.0, openidConnectServer-1.0, and samlWeb-2.0 features

CVE-2019-17573

6.1

Cross-site scripting

17.0.0.3 - 20.0.0.2

20.0.0.3

Affects the jaxws-2.2 feature

CVE-2019-12406

5.3

Denial of service

17.0.0.3 - 20.0.0.1

20.0.0.2

Affects the jaxrs-2.0, jaxrs-2.1, and jaxws-2.2 features

CVE-2019-4720

7.5

Denial of service

17.0.0.3 - 20.0.0.1

20.0.0.2

CVE-2019-17495

5.3

Information disclosure

17.0.0.3 - 19.0.0.12

20.0.0.1

Affects the mpOpenAPI-1.0, mpOpenAPI-1.1, and openapi-3.1 features

CVE-2019-4441

5.3

Information disclosure

17.0.0.3 - 19.0.0.10

19.0.0.11

Affects the jsp-2.2 and jsp-2.3 features

CVE-2014-3603

6.8

Spoofing

17.0.0.3 - 19.0.0.10

19.0.0.11

Affects the wsSecurity-1.1 and samlWeb-2.0 features

CVE-2019-9518

7.5

Denial of service

17.0.0.3 - 19.0.0.9

19.0.0.10

Affects the servlet-3.1 and servlet-4.0 features

CVE-2019-9517

7.5

Denial of service

17.0.0.3 - 19.0.0.9

19.0.0.10

Affects the servlet-3.1 and servlet-4.0 features

CVE-2019-9515

7.5

Denial of service

17.0.0.3 - 19.0.0.9

19.0.0.10

Affects the servlet-3.1 and servlet-4.0 features

CVE-2019-9514

7.5

Denial of service

17.0.0.3 - 19.0.0.9

19.0.0.10

Affects the servlet-3.1 and servlet-4.0 features

CVE-2019-9513

7.5

Denial of service

17.0.0.3 - 19.0.0.9

19.0.0.10

Affects the servlet-3.1 and servlet-4.0 features

CVE-2019-9512

7.5

Denial of service

17.0.0.3 - 19.0.0.9

19.0.0.10

Affects the servlet-3.1 and servlet-4.0 features

CVE-2019-4304

6.3

Bypass security

17.0.0.3 - 19.0.0.9

19.0.0.10

Affects the appSecurity-1.0 and appSecurity-2.0 features

CVE-2019-4305

5.3

Information disclosure

17.0.0.3 - 19.0.0.9

19.0.0.10

Affects the appSecurity-1.0 and appSecurity-2.0 features

CVE-2014-3603

6.5

Man-in-the-Middle

17.0.0.3 - 19.0.0.7

19.0.0.8

Affects the wsSecurity-1.1 and samlWeb-2.0 features

CVE-2019-4046

5.9

Denial of service

17.0.0.3 - 19.0.0.3

19.0.0.4

Affects the servlet-3.1 and servlet-4.0 features

CVE-2018-1902

3.1

Spoofing

17.0.0.3 - 19.0.0.2

19.0.0.3

Affects the servlet-3.1 and servlet-4.0 features

CVE-2018-1901

5.0

Privilege escalation

17.0.0.3 - 18.0.0.3

18.0.0.4

Affects the ldapRegistry-3.0 feature

CVE-2014-7810

5.0

Bypass security

17.0.0.3 - 18.0.0.3

18.0.0.4

Affects the jsp-2.2, jsp-2.3, and el-3.0 features

CVE-2018-8039

7.5

Man-in-the-Middle

17.0.0.3 - 18.0.0.2

18.0.0.3

Affects the jaxws-2.2, jaxrs-2.0, and jaxrs-2.1 features

CVE-2018-1755

5.9

Information disclosure

17.0.0.3 - 18.0.0.2

18.0.0.3

Affects the jaspic-1.1 feature

CVE-2018-1683

5.9

Information disclosure

17.0.0.3 - 18.0.0.2

18.0.0.3

Affects the ejbRemote-3.2 feature

CVE-2017-12624

5.3

Denial of service

17.0.0.3 - 17.0.0.4

18.0.0.1

Affects the jaxws-2.2, jaxrs-2.0, and jaxrs-2.1 features

CVE-2017-1788

5.3

Spoofing

17.0.0.3 - 17.0.0.4

18.0.0.1

Affects any feature that enables security, for example, the appSecurity-2.0, appSecurity-3.0, and restConnector-2.0 features

CVE-2016-100031

9.8

Execute code

17.0.0.3 - 17.0.0.4

18.0.0.1

Affects the servlet-3.1 and servlet-4.0 features