Security vulnerability (CVE) list

The following table lists the CVEs that affect Open Liberty, ordered by the release in which they were fixed.

CVECVSS ScoreVulnerability AssessmentVersions AffectedVersion FixedNotes

CVE-2022-37734

7.5

Denial of service

17.0.0.3 - 22.0.0.11

22.0.0.12

Affects the mpGraphQL-1.0 and mpGraphQL-2.0 features

CVE-2022-24839

7.5

Denial of service

17.0.0.3 - 22.0.0.10

22.0.0.11

Affects the openid-2.0 feature

CVE-2022-34165

5.4

HTTP header injection

17.0.0.3 - 22.0.0.9

22.0.0.10

CVE-2022-22476

5

Identity spoofing

17.0.0.3 - 22.0.0.7

22.0.0.8

Affects the appSecurity-1.0, appSecurity-2.0, appSecurity-3.0 and appSecurity-4.0 features

CVE-2022-22475

7.1

Identity spoofing

17.0.0.3 - 22.0.0.5

22.0.0.6

Affects the appSecurity-1.0, appSecurity-2.0, appSecurity-3.0 and appSecurity-4.0 features

CVE-2022-22393

3.1

Information disclosure

17.0.0.3 - 22.0.0.5

22.0.0.6

Affects the adminCenter-1.0 feature

CVE-2021-39038

4.4

Clickjacking vulnerability

17.0.0.3 - 22.0.0.2

22.0.0.3

Affects the openapi-3.1, mpOpenAPI-1.0, mpOpenAPI-1.1 and mpOpenAPI-2.0 features

CVE-2021-23450

9.8

Remote code execution

17.0.0.3 - 22.0.0.2

22.0.0.3

Affects the admin-Center-1.0 feature

CVE-2021-46708

4.3

Clickjacking

21.0.0.12 - 22.0.0.1

22.0.0.2

Affects the openapi-3.1, mpOpenAPI-1.0, mpOpenAPI-1.1, mpOpenAPI-2.0 and mpOpenAPI-3.0 features

CVE-2018-25031

5.4

Spoofing attack

21.0.0.12 - 22.0.0.1

22.0.0.2

Affects the openapi-3.1, mpOpenAPI-1.0, mpOpenAPI-1.1, mpOpenAPI-2.0 and mpOpenAPI-3.0 features

CVE-2021-39031

7.5

LDAP injection

17.0.0.3 - 22.0.0.1

22.0.0.2

Affects the ldapRegistry-3.0 feature

CVE-2022-22310

4.8

Information disclosure

21.0.0.10 - 21.0.0.12

22.0.0.1

Affects the jaxws-2.2 feature

CVE-2021-36090

7.5

Denial of service

17.0.0.3 - 21.0.0.9

21.0.0.10

CVE-2021-35517

5.5

Denial of service

17.0.0.3 - 21.0.0.9

21.0.0.10

CVE-2021-29842

3.7

Information disclosure

17.0.0.3 - 21.0.0.9

21.0.0.10

Affects the federatedRegistry-1.0 feature

CVE-2021-26296

8.8

Cross-site request forgery

17.0.0.3 - 21.0.0.3

21.0.0.4

Affects the jsf-2.2 and jsf-2.3 features

CVE-2020-10693

5.3

Bypass security

17.0.0.3 - 20.0.0.10

20.0.0.11

Affects the beanValidation-2.0 feature

CVE-2020-4590

5.3

Denial of service

19.0.0.5 - 20.0.0.9

20.0.0.10

Affects the oauth-2.0 and openidConnectServer-1.0 features

CVE-2020-4421

5

Identity spoofing

19.0.0.5 - 20.0.0.4

20.0.0.5

Affects the openidConnectServer-1.0 feature

CVE-2020-4329

4.3

Information disclosure

17.0.0.3 - 20.0.0.4

20.0.0.5

Affects the servlet-3.1, servlet-4.0, appSecurity-2.0, and appSecurity-3.0 features

CVE-2020-4303

6.1

Cross-site scripting

17.0.0.3 - 20.0.0.3

20.0.0.4

Affects the oauth-2.0, openidConnectClient-1.0, openidConnectServer-1.0, and samlWeb-2.0 features

CVE-2020-4304

6.1

Cross-site scripting

17.0.0.3 - 20.0.0.3

20.0.0.4

Affects the oauth-2.0, openidConnectClient-1.0, openidConnectServer-1.0, and samlWeb-2.0 features

CVE-2019-17573

6.1

Cross-site scripting

17.0.0.3 - 20.0.0.2

20.0.0.3

Affects the jaxws-2.2 feature

CVE-2019-12406

5.3

Denial of service

17.0.0.3 - 20.0.0.1

20.0.0.2

Affects the jaxrs-2.0, jaxrs-2.1, and jaxws-2.2 features

CVE-2019-4720

7.5

Denial of service

17.0.0.3 - 20.0.0.1

20.0.0.2

CVE-2019-17495

5.3

Information disclosure

17.0.0.3 - 19.0.0.12

20.0.0.1

Affects the mpOpenAPI-1.0, mpOpenAPI-1.1, and openapi-3.1 features

CVE-2019-4441

5.3

Information disclosure

17.0.0.3 - 19.0.0.10

19.0.0.11

Affects the jsp-2.2 and jsp-2.3 features

CVE-2014-3603

6.8

Spoofing

17.0.0.3 - 19.0.0.10

19.0.0.11

Affects the wsSecurity-1.1 and samlWeb-2.0 features

CVE-2019-9518

7.5

Denial of service

17.0.0.3 - 19.0.0.9

19.0.0.10

Affects the servlet-3.1 and servlet-4.0 features

CVE-2019-9517

7.5

Denial of service

17.0.0.3 - 19.0.0.9

19.0.0.10

Affects the servlet-3.1 and servlet-4.0 features

CVE-2019-9515

7.5

Denial of service

17.0.0.3 - 19.0.0.9

19.0.0.10

Affects the servlet-3.1 and servlet-4.0 features

CVE-2019-9514

7.5

Denial of service

17.0.0.3 - 19.0.0.9

19.0.0.10

Affects the servlet-3.1 and servlet-4.0 features

CVE-2019-9513

7.5

Denial of service

17.0.0.3 - 19.0.0.9

19.0.0.10

Affects the servlet-3.1 and servlet-4.0 features

CVE-2019-9512

7.5

Denial of service

17.0.0.3 - 19.0.0.9

19.0.0.10

Affects the servlet-3.1 and servlet-4.0 features

CVE-2019-4304

6.3

Bypass security

17.0.0.3 - 19.0.0.9

19.0.0.10

Affects the appSecurity-1.0 and appSecurity-2.0 features

CVE-2019-4305

5.3

Information disclosure

17.0.0.3 - 19.0.0.9

19.0.0.10

Affects the appSecurity-1.0 and appSecurity-2.0 features

CVE-2014-3603

6.5

Man-in-the-Middle

17.0.0.3 - 19.0.0.7

19.0.0.8

Affects the wsSecurity-1.1 and samlWeb-2.0 features

CVE-2019-4046

5.9

Denial of service

17.0.0.3 - 19.0.0.3

19.0.0.4

Affects the servlet-3.1 and servlet-4.0 features

CVE-2018-1902

3.1

Spoofing

17.0.0.3 - 19.0.0.2

19.0.0.3

Affects the servlet-3.1 and servlet-4.0 features

CVE-2018-1901

5.0

Privilege escalation

17.0.0.3 - 18.0.0.3

18.0.0.4

Affects the ldapRegistry-3.0 feature

CVE-2014-7810

5.0

Bypass security

17.0.0.3 - 18.0.0.3

18.0.0.4

Affects the jsp-2.2, jsp-2.3, and el-3.0 features

CVE-2018-8039

7.5

Man-in-the-Middle

17.0.0.3 - 18.0.0.2

18.0.0.3

Affects the jaxws-2.2, jaxrs-2.0, and jaxrs-2.1 features

CVE-2018-1755

5.9

Information disclosure

17.0.0.3 - 18.0.0.2

18.0.0.3

Affects the jaspic-1.1 feature

CVE-2018-1683

5.9

Information disclosure

17.0.0.3 - 18.0.0.2

18.0.0.3

Affects the ejbRemote-3.2 feature

CVE-2017-12624

5.3

Denial of service

17.0.0.3 - 17.0.0.4

18.0.0.1

Affects the jaxws-2.2, jaxrs-2.0, and jaxrs-2.1 features

CVE-2017-1788

5.3

Spoofing

17.0.0.3 - 17.0.0.4

18.0.0.1

Affects any feature that enables security, for example, the appSecurity-2.0, appSecurity-3.0, and restConnector-2.0 features

CVE-2016-100031

9.8

Execute code

17.0.0.3 - 17.0.0.4

18.0.0.1

Affects the servlet-3.1 and servlet-4.0 features