Security vulnerability (CVE) list

The following table lists the CVEs that affect Open Liberty, ordered by the release in which they were fixed.

CVE	CVSS Score	Vulnerability Assessment	Versions Affected	Version Fixed	Notes
CVE-2022-37734	7.5	Denial of service	17.0.0.3 - 22.0.0.11	22.0.0.12	Affects the mpGraphQL-1.0 and mpGraphQL-2.0 features
CVE-2022-24839	7.5	Denial of service	17.0.0.3 - 22.0.0.10	22.0.0.11	Affects the openid-2.0 feature
CVE-2022-34165	5.4	HTTP header injection	17.0.0.3 - 22.0.0.9	22.0.0.10
CVE-2022-22476	5	Identity spoofing	17.0.0.3 - 22.0.0.7	22.0.0.8	Affects the appSecurity-1.0, appSecurity-2.0, appSecurity-3.0 and appSecurity-4.0 features
CVE-2022-22475	7.1	Identity spoofing	17.0.0.3 - 22.0.0.5	22.0.0.6	Affects the appSecurity-1.0, appSecurity-2.0, appSecurity-3.0 and appSecurity-4.0 features
CVE-2022-22393	3.1	Information disclosure	17.0.0.3 - 22.0.0.5	22.0.0.6	Affects the adminCenter-1.0 feature
CVE-2021-39038	4.4	Clickjacking vulnerability	17.0.0.3 - 22.0.0.2	22.0.0.3	Affects the openapi-3.1, mpOpenAPI-1.0, mpOpenAPI-1.1 and mpOpenAPI-2.0 features
CVE-2021-23450	9.8	Remote code execution	17.0.0.3 - 22.0.0.2	22.0.0.3	Affects the admin-Center-1.0 feature
CVE-2021-46708	4.3	Clickjacking	21.0.0.12 - 22.0.0.1	22.0.0.2	Affects the openapi-3.1, mpOpenAPI-1.0, mpOpenAPI-1.1, mpOpenAPI-2.0 and mpOpenAPI-3.0 features
CVE-2018-25031	5.4	Spoofing attack	21.0.0.12 - 22.0.0.1	22.0.0.2	Affects the openapi-3.1, mpOpenAPI-1.0, mpOpenAPI-1.1, mpOpenAPI-2.0 and mpOpenAPI-3.0 features
CVE-2021-39031	7.5	LDAP injection	17.0.0.3 - 22.0.0.1	22.0.0.2	Affects the ldapRegistry-3.0 feature
CVE-2022-22310	4.8	Information disclosure	21.0.0.10 - 21.0.0.12	22.0.0.1	Affects the jaxws-2.2 feature
CVE-2021-36090	7.5	Denial of service	17.0.0.3 - 21.0.0.9	21.0.0.10
CVE-2021-35517	5.5	Denial of service	17.0.0.3 - 21.0.0.9	21.0.0.10
CVE-2021-29842	3.7	Information disclosure	17.0.0.3 - 21.0.0.9	21.0.0.10	Affects the federatedRegistry-1.0 feature
CVE-2021-26296	8.8	Cross-site request forgery	17.0.0.3 - 21.0.0.3	21.0.0.4	Affects the jsf-2.2 and jsf-2.3 features
CVE-2020-10693	5.3	Bypass security	17.0.0.3 - 20.0.0.10	20.0.0.11	Affects the beanValidation-2.0 feature
CVE-2020-4590	5.3	Denial of service	19.0.0.5 - 20.0.0.9	20.0.0.10	Affects the oauth-2.0 and openidConnectServer-1.0 features
CVE-2020-4421	5	Identity spoofing	19.0.0.5 - 20.0.0.4	20.0.0.5	Affects the openidConnectServer-1.0 feature
CVE-2020-4329	4.3	Information disclosure	17.0.0.3 - 20.0.0.4	20.0.0.5	Affects the servlet-3.1, servlet-4.0, appSecurity-2.0, and appSecurity-3.0 features
CVE-2020-4303	6.1	Cross-site scripting	17.0.0.3 - 20.0.0.3	20.0.0.4	Affects the oauth-2.0, openidConnectClient-1.0, openidConnectServer-1.0, and samlWeb-2.0 features
CVE-2020-4304	6.1	Cross-site scripting	17.0.0.3 - 20.0.0.3	20.0.0.4	Affects the oauth-2.0, openidConnectClient-1.0, openidConnectServer-1.0, and samlWeb-2.0 features
CVE-2019-17573	6.1	Cross-site scripting	17.0.0.3 - 20.0.0.2	20.0.0.3	Affects the jaxws-2.2 feature
CVE-2019-12406	5.3	Denial of service	17.0.0.3 - 20.0.0.1	20.0.0.2	Affects the jaxrs-2.0, jaxrs-2.1, and jaxws-2.2 features
CVE-2019-4720	7.5	Denial of service	17.0.0.3 - 20.0.0.1	20.0.0.2
CVE-2019-17495	5.3	Information disclosure	17.0.0.3 - 19.0.0.12	20.0.0.1	Affects the mpOpenAPI-1.0, mpOpenAPI-1.1, and openapi-3.1 features
CVE-2019-4441	5.3	Information disclosure	17.0.0.3 - 19.0.0.10	19.0.0.11	Affects the jsp-2.2 and jsp-2.3 features
CVE-2014-3603	6.8	Spoofing	17.0.0.3 - 19.0.0.10	19.0.0.11	Affects the wsSecurity-1.1 and samlWeb-2.0 features
CVE-2019-9518	7.5	Denial of service	17.0.0.3 - 19.0.0.9	19.0.0.10	Affects the servlet-3.1 and servlet-4.0 features
CVE-2019-9517	7.5	Denial of service	17.0.0.3 - 19.0.0.9	19.0.0.10	Affects the servlet-3.1 and servlet-4.0 features
CVE-2019-9515	7.5	Denial of service	17.0.0.3 - 19.0.0.9	19.0.0.10	Affects the servlet-3.1 and servlet-4.0 features
CVE-2019-9514	7.5	Denial of service	17.0.0.3 - 19.0.0.9	19.0.0.10	Affects the servlet-3.1 and servlet-4.0 features
CVE-2019-9513	7.5	Denial of service	17.0.0.3 - 19.0.0.9	19.0.0.10	Affects the servlet-3.1 and servlet-4.0 features
CVE-2019-9512	7.5	Denial of service	17.0.0.3 - 19.0.0.9	19.0.0.10	Affects the servlet-3.1 and servlet-4.0 features
CVE-2019-4304	6.3	Bypass security	17.0.0.3 - 19.0.0.9	19.0.0.10	Affects the appSecurity-1.0 and appSecurity-2.0 features
CVE-2019-4305	5.3	Information disclosure	17.0.0.3 - 19.0.0.9	19.0.0.10	Affects the appSecurity-1.0 and appSecurity-2.0 features
CVE-2014-3603	6.5	Man-in-the-Middle	17.0.0.3 - 19.0.0.7	19.0.0.8	Affects the wsSecurity-1.1 and samlWeb-2.0 features
CVE-2019-4046	5.9	Denial of service	17.0.0.3 - 19.0.0.3	19.0.0.4	Affects the servlet-3.1 and servlet-4.0 features
CVE-2018-1902	3.1	Spoofing	17.0.0.3 - 19.0.0.2	19.0.0.3	Affects the servlet-3.1 and servlet-4.0 features
CVE-2018-1901	5.0	Privilege escalation	17.0.0.3 - 18.0.0.3	18.0.0.4	Affects the ldapRegistry-3.0 feature
CVE-2014-7810	5.0	Bypass security	17.0.0.3 - 18.0.0.3	18.0.0.4	Affects the jsp-2.2, jsp-2.3, and el-3.0 features
CVE-2018-8039	7.5	Man-in-the-Middle	17.0.0.3 - 18.0.0.2	18.0.0.3	Affects the jaxws-2.2, jaxrs-2.0, and jaxrs-2.1 features
CVE-2018-1755	5.9	Information disclosure	17.0.0.3 - 18.0.0.2	18.0.0.3	Affects the jaspic-1.1 feature
CVE-2018-1683	5.9	Information disclosure	17.0.0.3 - 18.0.0.2	18.0.0.3	Affects the ejbRemote-3.2 feature
CVE-2017-12624	5.3	Denial of service	17.0.0.3 - 17.0.0.4	18.0.0.1	Affects the jaxws-2.2, jaxrs-2.0, and jaxrs-2.1 features
CVE-2017-1788	5.3	Spoofing	17.0.0.3 - 17.0.0.4	18.0.0.1	Affects any feature that enables security, for example, the appSecurity-2.0, appSecurity-3.0, and restConnector-2.0 features
CVE-2016-100031	9.8	Execute code	17.0.0.3 - 17.0.0.4	18.0.0.1	Affects the servlet-3.1 and servlet-4.0 features